Europe woke up Tuesday to massive attacks on both governments and some of the world’s largest brands. While the story is sure to develop, here’s what we’ve learned so far, and what enterprises need to take into account whether they have been affected or are trying to protect their organizations from becoming the next victim.
1. Currently, most victim companies are in Russia and Ukraine with some much smaller volumes observed in Western Europe. Unless the malware has some form of geo fencing, this will likely change throughout the day as the rest of world wakes up and logs on to their systems.
2. This malware only has passing resemblance to the historic Petya malware and thus should NOT be considered the same. This is much more sophisticated than both Petya and the recent Wannacry.
3. The campaign is using multiple propagation vectors:
- Email (multiple PDF and Word attachment samples have been collected)
- The EternalBlue exploit used by Wannacry
- Harvesting of credentials via a custom capability against the lsass process and subsequent use of WMIC to move laterally
- An attack against the update process of a third-party Ukrainian software product called MEDoc
4. Even a machine patched against the EternalBlue exploit is still vulnerable if a user clicks on the email vector. This malware is nastier than WannaCry because it can continue to propagate even in fully patched environments.
5. The worst case for an organization is if a user with domain admin credentials is compromised as the entire network becomes at risk via WMIC and remote process execution (psexec).
6. For non-admin victims, the files on the machine are encrypted using a standard AES routine (thus, it is unlikely there will be an implementation bug found to allow for non-keyed decryption).
7. For admin (local or domain) victims, the Master Boot Record (MBR) is encrypted (but not the files on disk). Thus, the machine seems bricked but is actually relatively easy to recover. This seems to imply that this may be more of a disruption attack than a financially motivated crime.
8. There was a single bitcoin account setup for ransom payments but it has already been taken down. Thus, there is currently no way for victims to get decryption keys even if they want to pay the ransom. Again, this hints at motive in the sense there was possibly never any real intention of collecting significant ransom or of providing a decryption pathway.
9. Because of the attempt to move laterally, environments that have adopted Software-Defined Perimeter architectures to limit lateral movement are likely to see far reduced impact compared to traditional open enterprise networks
10. A number of next-gen anti-virus systems are now detecting and stopping this.
Chris Day is Cyxtera’s Chief Cybersecurity Officer.