WannaCry Wakeup Call Not Heard?

It has been reported that a new malware strain called Petya is spreading by using a code execution vulnerability in Microsoft Office and WordPad (CVE-2017-0199) and then taking advantage of ETERNALBLUE (CVE-2017-0145), which is the same vulnerability exploited by the WannaCry malware.

Most people would agree that WannaCry was a pretty big event, and it should have served as a big wake-up call as to the risks and importance of patching or – if not possible – apply proper workarounds to mitigate risk. Unfortunately, the fast spread of Petya makes it pretty clear that regardless of the reasons for not updating systems, whether they were valid or not, many companies were unable to properly address things the first time around. The patch for ETERNALBLUE / WannaCry was released by Microsoft on March 14, 2017 and the patch for CVE-2017-0199 was released on April 11, 2017.

Neither of the vulnerabilities exploited by Petya are new. The vulnerability in Microsoft Office and WordPad, which exploits how OLE 2 Link objects in documents are permitted to request and execute HTA code, is known to have been exploited as far back as October of 2016 to deliver FinFisher / FinSpy malware and later the Dridex banking trojan. ETERNALBLUE, as we know, was also previously disclosed via NSA leaks and exploited by WannaCry. Microsoft not only provided a solution in March, but also released special fixes for older, unsupported versions of their operating system (Windows XP, Windows 8, and Windows Server 2003) in May 2017.

There have been a lot of conversations recently concerning the ability to patch for many organizations, and how it is not always possible. No matter where you stand in this debate, if your organization is running unpatched software you are at serious risk and not only to these recent RansomWare events. It is critical that all organizations, that are able, apply patches for these known vulnerabilities. If there is some legitimate reason for not patching, it is imperative to take other precautions and implement compensation controls to protect their systems and mitigate the risk. One such approach would be to stop using antiquated protocols such as SMBv1. It is 30 years old and even Microsoft has been warning against using it for a while – well before WannaCry.

More information will continue to be published by researchers and security firms as this event unfolds including what appears to be other techniques Petya is using for lateral movementBut to be clear, this is not the first and will not be the last systemic RansomWare event to occur, and we should all expect the next one to be an improvement of previous versions. Make sure that you are prepared!

Updates as of 5:45pm EST.

There has been a lot of analysis conducted on Petya since the initial infection started to spread. Here are some quick points of note:

  • Twitter user @0xAmit tweeted that he appears to find what he thought was a viable kill switch.
  • Some questions arise about where the kill switch needed to be located involving @HackingDave
  • Twitter user @hackerfantastic confirms that as long as you do not go past the CHKDSK message, files are safe and you can recover from a LiveCD.
  • @HackingDave confirms that if you block C:\Windows\perfc.dat from writing/executing – stops Petya
  • @0xAmit tweeted confirms that if you create a file called perfc with no extension in %windir% it will stop the ransomware from running
  • There is speculation that this is a Russian-based attack and that the ransom is not the motivation.
  • MalwareTech points out that Peyta is not as severe as WannaCry as it spreads via LAN, not Internet.