Petya uses hybrid infection technique

Security MEA speaks with Steve Grobman, CTO at McAfee on the recent Petya ransomware attack.

What is the extent of the damage caused by the Petya ransomware cyberattack?

We are currently tracking a smaller number of impacted systems as compared to WannaCry, mostly in Europe and Eastern Europe, but that will evolve over time as connected systems become infected. The general interest and number of queries about this attack campaign is very high, as people now understand the potential impact of these types on their systems.

What are you as a security vendor doing to ensure your clients are not affected by such an attack or the affects of such an attack are mitigated?

Upon learning of these incidents, McAfee quickly began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. McAfee has subsequently provided extra DAT updates to all its customers and provided them and the public further analysis on the attacks. McAfee urges all customers to ensure these DAT updates have been applied, and furthermore ensure that security updates are applied for all the software solutions they use.

What sort of precautions or remediations do companies need to take in order to keep themselves safe from the Petya attack?

One of the things we are very strongly recommending all organizations around the world do is not only aggressively patch vulnerabilities like the Windows CVE-2017-0144 SMB vulnerability, but if for some reason they cannot patch, there are other steps they can take. They can do things like reconfiguration changes to machines so they don’t accept connections for older versions of what we call SMB, and would therefore protect against that vulnerability.

To prepare for the next generation of ransomware attacks, it is imperative that organizations patch all systems aggressively against known vulnerabilities, establish a secure architecture that utilizes advanced cyber security defense technologies and execute a comprehensive data back-up plan for their organization.

Why according to you is the Petya attack more serious than the previous WannaCry attack?

Similar to WannaCry, Petya spreads via the EternalBlue SMB exploit. However, Petya introduces additional spreading mechanisms to ensure success. It steals credentials and uses stolen credentials to compromise additional machines, including machines that do not have software vulnerabilities.

Petya differs from usual ransomware families in that it doesn’t just encrypt user files, it also encrypts the machine Master Boot Records (MBR), rendering the disk inaccessible and preventing normal users from recovering data. Once this has happened, the only way to retrieve data is via the decryption key held by the attackers. This is the first ransomware we have seen that uses the hybrid infection technique. The technique uses a combination of vulnerability exploitation and credential theft to infect machines.