By Adam Hartley
A new variant of the Petya malware family was discovered on Tuesday 27th June 2017. The Petya family of malware is not a new one and was first seen and classified in March 2016. Juniper researchers have previously blogged about this malware in the past. This previous version of the Petya ransomware is available to cybercriminals to purchase as a service (Ransomware-as-a-service or RaaS) rather than developing their own malware.
This new variant of the Petya malware combines a number of existing techniques (seen within the WannaCry Ransomware outbreak) and new techniques (as disclosed in the EternalBlue exploits leak) to spread across vulnerable clients and networks. Most researchers are calling this a Petya variant whilst some are calling for it to be classified as “NotPetya” or “GoldenEye” as the new malware uses some ‘Petya like’ qualities but also uses the above modifications to make it more effective and deadly. Regardless of the name, it has already hit 2,000+ targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in around the world.
When the ransomware takes effect it full-disk encrypts the computers storage and demands that the infected user can only recover their data by paying a ransom in Bitcoins which is the equivalent of ~$300. It’s important to note that there has been no confirmation that payments, thus far, have resulted in successful decryption. This is due to the attackers needing the target to email confirmation of the Bitcoin payment to an email address which has now been taken down by their email provider.
How Petya learnt from WannaCry’s mistakes
However, WannaCry had many design flaws which was due to its attackers not finishing the North Korean project and relied almost entirely on EternalBlue (a bundle of stolen NSA exploits). These design flaws caused it to fizzle out after a few days after researchers, activists and white hats easily found counters to the outbreak. However this new Petya variant hasn’t made the same mistakes.
How Juniper Networks protected its customers
To verify Juniper Networks had protected its customers and partners’ they begin a manual analysis of Petya samples (as seen in the wild) in the Juniper lab straight away. At 1.38pm on Tuesday 27th June 2017 Juniper reported that they were able to detect and prevent infection using their SkyATP (Advance Threat Prevention) and IDP (Intrusion Detection and Prevention) technologies.
For Juniper SRX and IDP customers, MS17-010 is covered by multiple CVEs (Common Vulnerabilities and Exposures) and their corresponding signatures. You should ensure the following IDP signatures are enabled in your environment. In the table below please see links to the specific Juniper IDP signatures.
SMB: Microsoft Windows CVE-2017-0145 Remote Code Execution
SMB: Microsoft Windows SMB Server CVE-2017-0146 Out Of Bounds Write
SMB: Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure
SMB: Microsoft Windows CVE-2017-0148 Remote Code Execution
SMB: Malformed Message
If you’d like to discuss this or how to protect your organisation with Juniper Networks then give the Juniper team at Westcoast Ltd a call on 0118 912 6000 or email us at Juniper@westcoast.co.uk
To find our more read the full version of the article here