Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks.

Issue
The recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (“flat”) networks after its initial infection. It is reported to have first hit Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, financial, health or other components of critical infrastructure.

Whereas the Petya ransomware that first emerged last year was actual ransomware, the variant that wormed its way through non-segmented (“flat”) networks in June 2017 (NotPetya) does not allow for decryption of the data.  As such, InGuardians classifies this as wiperware.

NotPetya uses many different vectors to infect and perform subsequent infections.  Even though it does use the NSA exploits EternalBlue and EternalRomance that were addressed by Microsoft security update MS17-010, NotPetya also leverages many other vectors of attack.  It includes mimikatz, with that tool’s LSADump module.  This is used for recovering passwords with the aim of gaining administrative access locally and eventually at the domain level. NotPetya also uses PSExec as a means of subsequent infection, as well as WMI calls.

Many people responsible for network security claim that they thought they were patched against the NSA exploits. It’s key to note that NotPetya has multiple initial infection vectors, including phishing. Even if one of the NSA exploits became the vector of initial infection on an unpatched machine, the other vectors of subsequent infection allow it to spread unhindered through flat networks, full of otherwise patched systems.

Impact
Infections of NotPetya spread rapidly across non-segmented, or “flat,” networks, stealing credentials and leveraging privileges and trust.  The technical result is mangled data on infected systems.  This data is unrecoverable.  The business impact has been a shutdown of operations in many of the impacted targets.

Recommendations
The one common issue that allows the spread of NotPetya is networks that are not segmented with access control.  Logically segmented networks are still considered flat networks, as they lack access controls.  When access controls restrict traffic from traversing network segments, hosts are well isolated and this stymies infections of this type, containing them to a single host or portion of the network.

InGuardians recommends implementing restrictive access controls at the network level and isolating hosts using host-based firewalls or Private VLANs. InGuardians also recommends using Group Policies within Microsoft Active Directory to lock down endpoints and implement the Principle of Least Privilege, preventing the lateral spread from affected, internal systems.  These tactics are highly recommended to defend against modern malware attacks like NotPetya.

Additional Resources
Setting up Private VLANs
http://packetlife.net/blog/2010/aug/30/basic-private-vlan-configuration/

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_44_se/configuration/guide/scg/swpvlan.html

Implementing the Principle of Least Privilege within Various Versions of Windows

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

https://technet.microsoft.com/en-us/library/bb456992.aspx

https://www.sans.org/reading-room/whitepapers/win2k/enforcing-least-privilege-principle-active-directory-ous-gpos-group-214