Petya 2.0, PetWrap, NotPetya? Is This The New Normal in Cyber Security?

Updated July 6, 2017, 11:51 AM PT

When the latest massive global cyber attack first hit on June 27, the security community observed that the payload behavior closely matched Petya ransomware, which emerged back in 2016, so we initially called this a variant. However, SonicWall Capture Labs researchers confirmed that this is definitely not Petya ransomware. In fact, it masquerades as ransomware but there is no boot sector decryption capability, so in reality this is a wiper-like attack which is generally used as a cyber weapon for targeted system destruction. At this point, the malware is being referred to as NotPetya, ExPetr, Nyetya, PetWrap or GoldenEye.

Like WannaCry, this latest attack propagates using EternalBlue, one of the exploits that was leaked from the NSA back in April, which has led to comparisons between the two. The origins are still in dispute, but our position is that regardless of whether it is a cyber crime or a state sanctioned attack, the capacity to inflict not only financial but also brand and operational damage to organizations around the world is enormous.

What we see is that the cyber arms race continues to evolve. If I were to boil this down to its essence, cyber criminals are combining exploits and attacks in creative ways that are not necessarily brand new, but can be tweaked and combined in new ways to create very effective attacks. Like mixing cocktails, the ingredients are all well known, but the exact mix is completely new.

SonicWall Capture Labs confirmed in a SonicAlert issued on June 27 that customers had been protected from this cyber attack through both our intrusion prevention service as well as the SonicWall Capture network sandbox prior to the attack. Gateway AV signatures were also added after we analyzed the payload to detect and protect against the modified ransomware. Stay tuned for more updates from SonicWall as this situation unfolds.

What the attack looks like:

Information for SonicWall customers

SonicWall provides protection from this latest attack in a variety of ways for customers with both next-generation firewalls and email security solutions. Here is a breakdown of the protection details.

SonicWall Intrusion Prevention Service – prevents propagation of known malware

Existing protection against the NSA EternalBlue exploit of the SMB1 protocol, originally deployed to our firewalls in April 2017, continues to be effective at blocking the malware propagation.
No new signatures necessary.

SonicWall Gateway Anti-Virus Service blocks known malware at the gateway

We released new signatures to cover the modified payload on June 27. The following have been pushed to all firewalls.
- GAV: GoldenEye.A_5 (Trojan)
- GAV: WisdomEyes.A_2 (Trojan)
- GAV: GoldenEye.A_4 (Trojan)
- GAV: Petya.A_8 (Trojan)
- GAV: Petya.AA (Trojan)

SonicWall Capture ATP Network Sandbox Service

Detects unknown zero-day malware
Capture customers had protection at time zero since the multi-engine sandbox detected the modified Petya payload.
Any customers using our Block until Verdict feature was protected in the case that the attack came in through a method other than EternalBlue.

SonicWall Email Security

Onboard AV detected 10/13 variants of Petya at time zero.
Email Security with Capture ATP, per above, provided protection against the attack as well.

The best defense against modern malware attacks includes:

SonicWall next-generation firewalls with gateway anti-virus and intrusion prevention services
SonicWall Capture ATP, our multi-engine cloud sandbox that is designed to address the 1% of new attacks that have not been seen before
SonicWall’s Deep Learning Algorithm, which learns from over 1,000,000 sensors deployed around the globe, with the ability to push out real-time updates within minutes. Deep learning is helping us with the speed of detection and identification as well as the ability to create protection and push to the Capture Threat Network.
Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks.
SonicWall Email Security which uses malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65% of all ransomware attacks happen through phishing emails, so this also needs to be a major focus when giving security awareness training.
Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
Apply the latest Windows patches provided by Microsoft, especially the MS17-0170 patch.
Block incoming requests to ports 135, 139, and 445 on your Windows firewall. Also disable SMBv1 on Windows machines.
Train your users to shut off their computer if they suspect a malware infection.
And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

DOWNLOAD TECH BRIEF

John Gordineer

Director, Product Marketing | SonicWall

John Gordineer is the director of product marketing for SonicWall products. In this role, he is responsible for technical messaging, positioning, and evangelization of SonicWall network security, email security, and secure remote access solutions to customers, partners, the press and industry analysts. John has more than 20 years of experience in product marketing, product management, product development and manufacturing engineering at Verilink and SonicWall. John earned a bachelor’s degree in Industrial Engineering from Montana State University.