RED Systems Management & NotPetya (Petna) Ransomware

Follow

A new malware outbreak has occurred, referred by names such as NotPetya and Petna (and still Petya, even though it isn't Petya), appears to be an evolution of the WannaCry ransomware, but this time, it shipped without a kill switch. Once accessed, the malware infects systems that are vulnerable to MS17-010 and spreads across Windows infrastructure.

More information on Microsoft Security Bulletin MS17-010 can be found here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

The Process of Infection

NotPetya begins its process by looking for a file in the %windir% directory called "perfc" with no file extension. It then attempts to download and subsequently use an embedded SysInternals tool called PSEXEC.EXE. This file is embedded in another file called "DLLHOST.DAT" which is also written to the %windir% directory.

If PSEXEC cannot be used, it also uses the WMI command line tool (WMIC.exe) tool, available on all modern Windows systems post Windows NT 4.

The process then uses a tweaked version of mimikats to extract network credentials cached on the running system to begin the process of infecting subsequent systems. In short, it takes advantage of the fact that many organizations employ flat, non-air-gapped networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until the network is completely under its control.

Stopping the Initial Infection Before it Begins

Use RED Systems Management, available by itself or as part of the Rapid Enterprise Defense (RED) Suite to quickly block access to the files NotPetya intends to use to infect you.

  1. Open RED Systems Management.
  2. Open your management set with all of your Windows systems.
  3. Click Manage | File Operations | File Lockout (Cratering).
  4. Click Add.
  5. In the Path to File on Remote Machine, type: \\%system%\admin$\perfc
  6. Click OK.
  7. Click Add, again.
  8. In the Path to File on Remote Machine, type: \\%system%\admin$\dllhost.dat
  9. Click OK to close the files dialog.
  10. Click OK to Lockout the files.

When you click OK, RED Systems Management will connect to all target machines. If the files are not present, empty files will be created in their stead. The ACL on the file will then be modified to DENY EVERYONE FULL CONTROL.

Post Prescription Remedy

Patch

Not only should you patch your computers to stop the SMB exploits with the patches described in MS17-01.

Handle Your Legacy SMB Woes

you should also disable SMBv1 (you got rid of all your 2003, XP and earlier systems already since they are not supported anymore).

SMB versioning is controlled by registry entries that can be set by Active Directory Group Policy Preferences. For more information, see: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

Unfortunately group policy provides no feedback of success or failure of the policy to apply and may take multiple hours before it takes effect. RED Systems Management can proactively and immediately handle the change using the REGEDIT function. This provides immediate feedback of success or failure and can also verify the success of the change with its registry reporting.

To use RED Systems Management to disable SMBv1 server components (be careful, as legacy systems like Server 2003 and XP and earlier cannot function without it!), follow these steps:

 

  1. Open RED Systems Management.
  2. Open your management set with all of your Windows systems.
  3. Select the target systems (be sure not to include XP/2003 and earlier systems!)
  4. Click the REGEDIT button in the lower left of the dialog.
  5. Set the type to: Single Key/Value
  6. Set the Key name to: HKEY_LOCAL_MACHINE
  7. Set the action to: Add/Update Key
  8. Set the subkey to: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  9. Set the Value Type to: REG_DWORD
  10. Set the Value Name to: SMB1
  11. Set the Edit Value field to: 0
  12. Click Apply.

 

Remove Persistent Admin Access

RED Systems Management can be used to proactively control local and domain group membership en-masse. This process helps stop the re-use of high powered credentials. These items are managed in many ways using the Local Members and Global Members functionality in RED Systems Management.

If elevated access is later required, use RED Identity Management (RED IM: https://liebsoft.com/red-identity-management/) to temporarily elevate a credential to a minimally privileged group and later have that privilege removed. This process can be entirely self service or tied to a workflow and request process.

Use RED Identity Management to randomize all shared and service account credentials. RED IM can also help you remove the need for persistent administrative access that allows this type of infection to spread by giving time limited access to specific accounts or privileged sessions.

What Next?

We are always happy to show you how this works, please contact sales@liebsoft.com to schedule a demonstration or https://liebsoft.zendesk.com for help on using these features.

Was this article helpful?
1 out of 1 found this helpful

Comments

Powered by Zendesk