Updated July 6, 2017, 11:51 AM PT

When the latest massive global cyber attack first hit on June 27, the security community observed that the payload behavior closely matched Petya ransomware, which emerged back in 2016, so we initially called this a variant. However, SonicWall Capture Labs researchers confirmed that this is definitely not Petya ransomware. In fact, it masquerades as ransomware but there is no boot sector decryption capability, so in reality this is a wiper-like attack which is generally used as a cyber weapon for targeted system destruction. At this point, the malware is being referred to as  NotPetya, ExPetr, Nyetya, PetWrap or GoldenEye.

Like WannaCry, this latest attack propagates using EternalBlue, one of the exploits that was leaked from the NSA back in April, which has led to comparisons between the two. The origins are still in dispute, but our position is that regardless of whether it is a cyber crime or a state sanctioned attack, the capacity to inflict not only financial but also brand and operational damage to organizations around the world is enormous.

What we see is that the cyber arms race continues to evolve. If I were to boil this down to its essence, cyber criminals are combining exploits and attacks in creative ways that are not necessarily brand new, but can be tweaked and combined in new ways to create very effective attacks. Like mixing cocktails, the ingredients are all well known, but the exact mix is completely new.

SonicWall Capture Labs confirmed in a SonicAlert issued on June 27 that customers had been protected from this cyber attack through both our intrusion prevention service as well as the SonicWall Capture network sandbox prior to the attack. Gateway AV signatures were also added after we analyzed the payload to detect and protect against the modified ransomware. Stay tuned for more updates from SonicWall as this situation unfolds.

What the attack looks like:

Petya Lock Screen

Petya Payment Screen

Information for SonicWall customers

SonicWall provides protection from this latest attack in a variety of ways for customers with both next-generation firewalls and email security solutions. Here is a breakdown of the protection details.

SonicWall Intrusion Prevention Service – prevents propagation of known malware

  • Existing protection against the NSA EternalBlue exploit of the SMB1 protocol, originally deployed to our firewalls in April 2017, continues to be effective at blocking the malware propagation.
  • No new signatures necessary.

SonicWall Gateway Anti-Virus Service blocks known malware at the gateway

  • We released new signatures to cover the modified payload on June 27. The following have been pushed to all firewalls.
    • GAV: GoldenEye.A_5 (Trojan)
    • GAV: WisdomEyes.A_2 (Trojan)
    • GAV: GoldenEye.A_4 (Trojan)
    • GAV: Petya.A_8 (Trojan)
    • GAV: Petya.AA (Trojan)

SonicWall Capture ATP Network Sandbox Service

  • Detects unknown zero-day malware
  • Capture customers had protection at time zero since the multi-engine sandbox detected the modified Petya payload.
  • Any customers using our Block until Verdict feature was protected in the case that the attack came in through a method other than EternalBlue.

SonicWall Email Security

The best defense against modern malware attacks includes:

  • SonicWall next-generation firewalls with gateway anti-virus and intrusion prevention services
  • SonicWall Capture ATP, our multi-engine cloud sandbox that is designed to address the 1% of new attacks that have not been seen before
  • SonicWall’s Deep Learning Algorithm, which learns from over 1,000,000 sensors deployed around the globe, with the ability to push out real-time updates within minutes. Deep learning is helping us with the speed of detection and identification as well as the ability to create protection and push to the Capture Threat Network.
  • Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks.
  • SonicWall Email Security which uses malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65% of all ransomware attacks happen through phishing emails, so this also needs to be a major focus when giving security awareness training.
  • Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
  • Apply the latest Windows patches provided by Microsoft, especially the MS17-0170 patch.
  • Block incoming requests to ports 135, 139, and 445 on your Windows firewall. Also disable SMBv1 on Windows machines.
  • Train your users to shut off their computer if they suspect a malware infection.
  • And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

Download Tech Brief

FacebookTwitterGoogle+LinkedIn
John Gordineer
Director, Product Marketing | SonicWall
John Gordineer is the director of product marketing for SonicWall products.  In this role, he is responsible for technical messaging, positioning, and evangelization of SonicWall network security, email security, and secure remote access solutions to customers, partners, the press and industry analysts.  John has more than 20 years of experience in product marketing, product management, product development and manufacturing engineering at Verilink and SonicWall.  John earned a bachelor’s degree in Industrial Engineering from Montana State University.

You might also like

Capturing the World’s Latest Malware so You Can Fear Less
Read more
Securing Email in the Age of Ransomware and Phishing Attacks
Read more
Evolution of Email Threats: The Rise of Ransomware, Spear Phishing and Whaling Attacks 
Read more
Why You Can Not Afford to Ignore SSL Inspection
Read more
Is Your K-12 Network Ready to Innovate More? Learn How SonicWall Blocks Ransomware and Encrypted Threats at ISTE 2017
Read more

1 comment

daver

Cyber-attacks become more and more dangerous. Petya caused serious damages for many companies in different countries. I hope that in future Microsoft will create some protect programs for PC. But we cannot forget about one interesting fact, that social media become a part of our life, and we need to think about our security on the internet, because our personal data are not much protected. About myself I can say that I use anonymizer in social media. Recently I had a problem I could not log in twitter because my port was closed. So I checked and found solution – I used check port check port service service, thanks for informative article.

Leave a reply

fifteen + 2 =