Prevent Petya Ransomware by disabling SMBv1 on your Network
Last Updated: July 3rd, 2017
Petya \ GoldenEye encrypts entire disks
A new variant of Petya ransomware, also known as Petrwrap, NotPetya, or GoldenEye, is spreading rapidly with the help of the same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours. Petya ransomware has been delivered via phishing emails pretending to provide a resume which is, in fact, a malicious dropper. Make sure your users are aware of the risks of opening attachments from unknown sources.
Unlike most ransomware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving their data.
Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. It encrypts the hard drive’s master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
What you should do right now to prevent a Petya \ NoPetya outbreak
- Deploy the Microsoft Security Bulletin MS17-010 patch
- Add a read only file called C:\Windows\perfc to all Windows clients
- Avoid giving users adminstrator access to their local machines
- Watch out for any inbound or outbound activity associated with TCP ports 445 or 139
- Use traffic analysis to identify if any systems are connecting or trying to connect using SMBv1
- Root out any clients or servers scanning your network over TCP port 445 or 139
Further details below
Patch your Windows systems to remove one attack vector for Petya Ransomware
It is critial that you address Microsoft Security Bulletin MS17-010 and patch all Windows clients on your network. Microsoft have published a good post at this link which more background on this and also includes some information on what they are doing to prevent the spread of this Ransomware.
Petya or Petrwap is spreading by exploiting an NSA-built Windows exploit known as “Eternal Blue” which targets the SMBv1 protocol. While SMBv1 is a legacy protocol, it is still available in the latest Microsoft operating systems including:
- Windows XP (all services pack) (x86) (x64)
- Windows Server 2003 SP0 (x86)
- Windows Server 2003 SP1/SP2 (x86)
- Windows Server 2003 (x64)
- Windows Vista (x86)
- Windows Vista (x64)
- Windows Server 2008 (x86
- Windows Server 2008 R2 (x86) (x64)
- Windows 7 (all services pack) (x86) (x64)
In parallel to applying the patch, you should disable SMBv1 use on your network. You can do this by running these commands in Power Shell on each system. Further information on how to disable SMBv1 on other systems are available here.
- Check for SMBv1
- Get-SmbServerConfiguration | Select EnableSMB1Protocol
- To disable SMBv1 on the SMB server
• Set-SmbServerConfiguration -EnableSMB1Protocol $false
Create a read only file called C:\Windows\perfc
A researcher called Amit Serper discovered that NotPetya/Petya/Petna would search for a local file and would exit its encryption routine if that file already existed on disk.
To vaccinate your computer so that you are unable to get infected with the current strain of this Ransomware simply create a file called perfc in the C:\Windows folder and make it read only. If you are unsure how to do this, follow this guide or follow the steps in the video below.
Avoid giving users administrator access
Peyta \ GoldenEye first encrypts the files on the computer and then tries to install the MBR bootkit to encrypt the drive’s MFT. The GoldenEye variant starts by encrypting the user’s files, just like regular ransomware. For each file it encrypts, GoldenEye appends a random 8-character extension at the end.
The ransomware then modifies the user’s hard drive MBR (Master Boot Record), with a custom boot loader. Petya \GoldenEye ransomware must obtain administrative permissions to overwrite a computer’s MBR (Master Boot Record). Make sure you limit what users have administrator access to the network and local PCs’. You can use the Microsoft Local Administrator Password Solution (LAPS) to manage the local account passwords of domain-joined computers.
Once it gains administrator access on a machine, it then leverages that power to commandeer other computers on the network or sniff domain admin credentials present in memory to take control over the entire Windows network.
Check for suspicious traffic flows on your network
You also should review your network traffic flows for any activity associated with Microsoft SMB ports and external addresses. SMB typically uses TCP port 445 and this is one of the main attack vectors used for recent Ransomware attacks. You can monitor network traffic by using SPAN or mirror ports off your core switches.
The image below is an example of what to watch out for. I used a Top Clients report from our LANGuardian product to show all connections over TCP port 445 where the client IP address was external. Based on this data I need to make sure the target machines are not running SMBv1 and I will also block TCP 445 access on my firewall.
Infected machines may also scan the network looking for other Microsoft clients. Watch out for the following behaviour
- Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope
- Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes
How to passively detect SMBv1 use on your network
Even if you think you have patched all systems on your network, you should still run an audit to check for any activity associated with SMBv1. Some network devices may have embedded operating systems which could easily be missed. One method to do this is to use network traffic analysis to detect the presence of clients attempting to connect to other systems using SMBv1.
Our own LANGuardian product can be used to report on SMBv1 use and an example of this is shown in the video below.
We will continue to update this post as we learn more about this Ransomware variant.
Other indicators of Petya \ NoPetya
Watch out for any activity on your network associated with these IP addresses. Check any local systems on your network if they are trying to connnect to these or if you have any inbound activity through your firewall(s) associated with them.