The story around today’s Petya (aka NotPetya) ransomware attack continues to evolve. Here’s what we know thus far.

Exploit

While some security firms have reported that Petya uses the EternalBlue exploit — the same as was used in the recent WannaCry ransomware attack — not all researchers are ready to confirm this. For now, it seems Petya is exploiting the same vulnerabilities of MS17-10, propagating quickly via SMBv1. The kernel exploit has also been rewritten, showing the attackers behind Petya don’t intend to make the same mistakes as WannaCry.  Some researchers indicate that additional propagation mechanisms have been built in that search for credentials and use admin tools to spread exploit code.

There are also questions around the use of an exploit for another Microsoft vulnerability (CVE-2017-0199). A patch was released back in April. For this and the MS17-10 vulnerabilities, if there’s even a chance Petya will exploit these vulnerabilities, patch or mitigate now.

Remember, WannaCry is also still active, having recently hit Honda causing production lines to shut down. Killswitch or not, seriously, patch those vulns. All it takes is one unpatched machine.

Payload

The first payload is the Petya ransomware followed by a variant of LokiBot, a banking Trojan that extracts usernames and passwords from compromised computers. The attack also uses the stolen credentials to spread to computers on the same network.

The use of the Trojan on top of ransomware could not only render machines unusable, it could also steal information, according to Recorded Future.

 

Stay tuned to Skybox Security for more developments.

 

Resources

Register for the webinar on June 29 on how Petya and attacks like it are changing the game in cybersecurity and how you can pivot your approach to overcome its challenge.

Protecting Against the Next WannaCry (surprise — it’s Petya!): WannaCry was a wake–up call to the new era of distributed cybercrime attacks. See how Skybox can help you prepare for the next attack.

Take the threat–centric approach to vulnerability management. Download the whitepaper to start protecting your network with real–time threat intelligence and complete network context.