Alert Logic® is actively researching the PetrWrap (also known as NotPetya) server-side ransomware attack. This attack has significant infection capability and has been seen to infect several organizations around the globe in June 2017. The PetrWrap server-side ransomware utilizes similar attack vectors and propagation techniques from a previous server-side ransomware campaign – WannaCry. The principal propagation mechanism is the EternalBlue tool exploit for SMB, which was disseminated as part of the ShadowBrokers release earlier in the year. PetrWrap is known to expand on WannaCry by showing an added level of complexity and employing a larger number of failover propagation mechanisms if EternalBlue is not successful.
Alert Logic Coverage
Alert Logic has had coverage for EternalBlue in place since March 2017, and this coverage has been confirmed as successfully detecting PetrWrap propagation. This coverage includes scanning, active intrusion detection, and incident creation.
Signatures have been deployed in Alert Logic Cloud Defender™ for EternalBlue since mid-April 2017. Incidents are generated by Alert Logic for successful execution of these threats. Further, the Alert Logic ActiveWatch™ team is actively monitoring for these threats.
Signatures for scanning and detecting the EternalBlue vulnerability have been deployed in Alert Logic Threat Manager™ and Alert Logic Cloud Insight™ since mid-April 2017.
For more information on EternalBlue and related Alert Logic coverage, refer to our Shadow Brokers Release of Equation Group Toolset knowledge base article.
For more information on the WannaCry (also known as WannaCryptor) server-side ransomware attack and coverage, refer to our WannaCryptor Server-Side Ransomware Threat knowledge base article.
Recommendations for Mitigation
The best action for preventing the PetrWrap server-side ransomware attack is a strong patch management policy. The patch for this vulnerability for Windows XP systems and newer can be found in the Microsoft Update Catalog.
Other recommended mitigation actions include:
- Placing the file perfc.dat in the C:\Windows\ directory, which will stop encryption of files provided that the infected user does NOT have administrative privileges. This action stops encryption but the server-side ransomware can still propagate.
- Running a detailed vulnerability scan against all systems in your environments to identify systems missing the MS17-010 security update.
- Disabling SMB in Windows unless absolutely necessary and ensuring that SMB is not accessible via open Internet.
- Establishing strict needs-based access to network resources and segment networks where possible.
- Backing up your data using offline media points.
- Following client-side hygiene practices and following OS vendor advice for baseline security.
- Verifying that AV/malware protection is running and up to date.
- Keeping current with Alert Logic and our network, web application, scan, and log alerts.
If an infection is confirmed, the server-side ransomware is known to utilize a timer before it reboots. This timer has been observed as being as large as one hour, and encryption only occurs after the reboot. If an infected host is manually shut down (rather than rebooted), then encryption does not occur and the infection can be removed from the victim system.
We will update this section with new information about the PetrWrap attack and related Alert Logic coverage as it becomes available.