Several organizations have been impacted today by the ransomware known as Petya, or Petrwrap. At this time, the distribution vector is still unconfirmed but it appears to be spreading via network similar to WannaCry, although the capacity for an email vector exists. Like WannaCry, this Petya outbreak appears to potentially be leveraging SMB network protocols to spread itself.
Proofpoint strongly encourages customers to verify the following on their systems.
(A) Ensure that the .exestrip rule is enabled in PPS; this will stop any .zip/.js or inbound raw executables in email.
(B) Enabling blocking of password-protected compressed files is also suggested, at least during this outbreak period
(C) Proofpoint TAP customers have an additional layer of protection against other potential email vectors, as URL-based or office-document-based encapsulation will be subject to behavioral analysis by TAP.
(D) Ensure systems are patched against the vulnerability described in bulletin MS17-010 (allows the execution of remote commands through Samba / SMB). It is unconfirmed that this stop the new Petya outbreak, but patching will mitigate risk of infections from residual WannaCry activity.
(E) Deploying Proofpoint ET signatures for IDS, which we have verified will enable identification and blocking of network command & control / phone-home and worm activity by this ransomware
As always, please report any confirmed “false negatives” (eg, threats that appear to have used a Proofpoint-protected vector to gain entry) immediately — but note that at this time, we have no reports of such events at Proofpoint customers.
(A) What is the Payload?
While there has been some debate in the research community over whether the payload is “Petya”, or “Petya-like”, there seems to be common agreement that the payload is ransomware that most likely encrypts the Master Boot Record (like Petya).
(B) What is the distribution mechanism?
The ransomware package appears to attempt both the EternalBlue SMB exploit as well as Windows utilities PsExec (“a Telnet alternative”) and Windows Management Instrumentation Command-line (WMIC) (“a command-line and scripting interface”) for distribution and initiation.
While there are no confirmed reports of transmission via email, there are currently large email campaigns distributing “KaroCrypt”; Proofpoint is actively blocking these as well. Like the confusion between WannaCry and Jaff, we anticipate some confusion between KaroCrypt and this Petya-like malware.
(C) Where did it start?
There are widely reported but unconfirmed attribution (including the me-doc website) suggesting that the Ukranian accounting software system “MeDoc” was compromised to distribute the malware via standard update mechanisms last night. Once introduced into an intranet, the mechanisms in (B) would rapidly spread the malware to other connected systems that were ether unpatched for EternalBlue or left open for PsExec and WMIC.
(D) How do I detect and block this?
The guidance issued in the original bulletin still holds; specifically, for network detection, ensure you have updated IDS signatures
2012063: ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference and
2024297: ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010
Please note that this is still an active investigation; details are still being verified and are subject to change.