A new malware Nyetya (combination of words from Nye Petya, meaning NOT Petya), also known as Petrwrap and GoldenEye has been spreading globally over the last 24 hours.
This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is an evolving space. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.
Other popular researchers (links below) say Nyetya is more of a nation (state) attack towards a specific country (Ukraine) that is disguised as ransomware so its true nature would remain hidden in the shadow of recent WannaCry ransomware.
Some Characteristics of Nyetya and why it is different
- There is recent research that showed Nyetya, despite having major resemblance to Petya ransomware, in fact does not keep a copy of the encrypted MTL (Master File Table) and MBR (Master Boot Record) that it replaces with the random note. That means that even in the case that the user gets its decryption keys there is nothing to decrypt. This behavior resembles specific type of malware called Wiper Malware. All machines that are infected cannot be recovered. Also, the email for contract with the attackers is now disabled so there is no possibility for getting the decryption keys. Obviously, the attackers have not intended to milk the ransom and get rich for their efforts.
- It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions
- It does not use a common attack vector from the Internet
It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead the initial way in was via an update in a polular accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat). Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.
- No external Internet scans
There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity
- No Command and Control functionality
The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses/domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya
- Special attention has been paid to cleaning up any remaining data and logs
All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.
Protecting yourself from the attack
A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.
- Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
- Do not use admin/elevated privileged accounts for normal users
- Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
- Monitor your internal network segments using an IDS/IPS
Which type of network security controls are best suited to discover and prevent malware spread?
While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance. An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.
IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain). The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective.
Following general security best practises is also beneficial – having backup of important systems/files, having proper application visible monitoring on the network and trying to detect unusual behavior, that of course requires both the tools and the people (analyst).