A new variant of the Petya malware family was discovered on Tuesday 27th June 2017. The Petya family of malware is not a new one and was first seen and classified in March 2016. Juniper researchers have previously blogged about this malware in the past. This previous version of the Petya ransomware is available to cybercriminals to purchase as a service (Ransomware-as-a-service or RaaS) rather than developing their own malware.
If you're not quite sure what Petya Malware is, in simple terms it's a vicious computer program that steals your computers information and makes it unreadable to the computer. If your computer cannot read the data then it is lost to you and you will have to pay the creators money to get your data back.
This new variant of the Petya malware combines a number of existing techniques (seen within the WannaCry Ransomware outbreak) and new techniques (as disclosed in the EternalBlue exploits leak) to spread across vulnerable clients and networks. Most researchers are calling this a Petya variant whilst some are calling for it to be classified as “NotPetya” or “GoldenEye” as the new malware uses some ‘Petya like’ qualities but also uses the above modifications to make it more effective and deadly. Regardless of the name, it has already hit 2,000+ targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in around the world.
When the ransomware takes effect it full-disk encrypts the computers storage and demands that the infected user can only recover their data by paying a ransom in Bitcoins which is the equivalent of ~$300. It’s important to note that there has been no confirmation that payments, thus far, have resulted in successful decryption. This is due to the attackers needing the target to email confirmation of the Bitcoin payment to an email address which has now been taken down by their email provider.
How Petya learnt from WannaCry’s mistakes
WannaCry hit the business world seven weeks ago and it seems that the team designing this new Petya variant has learnt the lessons WannaCry taught the world. The similarities between the pair of malware types are that they both spread quickly and successfully attacked high-profile targets like large multinational companies and critical infrastructure providers.
However, WannaCry had many design flaws which was due to its attackers not finishing the North Korean project and relied almost entirely on EternalBlue (a bundle of stolen NSA exploits). These design flaws caused it to fizzle out after a few days after researchers, activists and white hats easily found counters to the outbreak. However this new Petya variant hasn’t made the same mistakes.
How Juniper Networks protected its customers
To verify Juniper Networks had protected its customers and partners’ they begin a manual analysis of Petya samples (as seen in the wild) in the Juniper lab straight away. At 1.38pm on Tuesday 27th June 2017 Juniper reported that they were able to detect and prevent infection using their SkyATP (Advance Threat Prevention) and IDP (Intrusion Detection and Prevention) technologies.
For Juniper SRX and IDP customers, MS17-010 is covered by multiple CVEs (Common Vulnerabilities and Exposures) and their corresponding signatures. You should ensure the following IDP signatures are enabled in your environment. In the table below please see links to the specific Juniper IDP signatures.
SMB: Microsoft Windows CVE-2017-0145 Remote Code Execution
SMB: Microsoft Windows SMB Server CVE-2017-0146 Out Of Bounds Write
SMB: Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure
SMB: Microsoft Windows CVE-2017-0148 Remote Code Execution
SMB: Malformed Message
Additionally, the MS Office exploit is covered by IDP Signature HTTP : STC : DL : CVE-2017-0199-RCE available within signature pack 2860.
If your IDP Signatures weren’t up to date or if they didn’t cover this attack (which they did as per the above), Juniper would of still protected your environment using its Advance Threat Prevention technology (SkyATP). Juniper Networks SkyATP did behavioural sandbox analysis and deemed them malicious in real time and if they had deployed Juniper’s Software Defined Secure Network (SDSN) then that endpoint would have been disconnected from the network and therefore stopping its Lateral Movement across the network
As Petya has been historically distributed via spam campaigns, Juniper Networks also did a manual analysis of a malicious email with the infected Petya file. Juniper used SkyATP’s inspection techniques to analyse and identify the email and the malware. As expected, SkyATP detected and displayed the analysis of the email and Petya malware as shown below.
Juniper SkyATP detection via email
Westcoast and Juniper will continue to update their respective blogs as additional information becomes available. We plan to release a full breakdown in due time to help our Channel Partners gain full understanding of the situation and how to protect their customers going forward.
If you’d like to discuss this or how to protect your organisation with Juniper Networks then give the Juniper team at Westcoast Ltd a call on 0118 912 6000 or email us at Juniper@westcoast.co.uk