Anatomy of an attack

The latest ransomware, a variant of the Petya family which was first discovered in 2016, struck corporate networks across the globe yesterday. Some of the casualties of Petya, which was reported to have originated in Ukraine through tainted accounting software, include the world’s largest advertising agency WPP, Danish shipping major Maersk and Russian oil firm Rosneft.

There are many similarities between Petya, which some researchers call “NotPetya” or “GoldenEye”, and WannaCry ransomware that broke out in May. Similar to WannaCry, Petya also leverages EternalBlue exploit kit, which uses a Microsoft protocol called SMB to spread through the network.

“Once a vulnerable device has been targeted, Petya appears to impair the Master Boot Record (MBR) during the infection cycle. It then provides the user with a ransom note stating, “Your files are no longer accessible because they have been encrypted,” and demanding approximately $300 ransom in the Bitcoin digital currency. It then specifies that shutting down the computer will result in the complete loss of the system,” says Kalle Bjorn, Fortinet’s director of system engineering, explaining how this new malware works.

The security researchers from Trend Micro have discovered that this Petya variant uses an advanced method to extract information from the infected system. It makes use of a customised Mimikatz—a legitimate security tool—to extract usernames and passwords. The 32-bit and 64-bit Mimikatz executables are encrypted and stored in the resource section of the ransomware. The extraction method runs when the main malware process opens a pipe, which is used by the custom Mimikatz to write its results. These results are then read by the main malware process.

Eric Eifert

Unlike previous ransomware attacks, which can be easily prevented with proper patching and backup, Petya is said to be far more advanced than its predecessors. “It has advanced capabilities to gain access to systems, and methods of harvesting passwords from memory and infect even patched systems,” says Eric Eifert, senior VP of managed security services at DarkMatter.

So far, no reports of infections have been reported in the GCC, but it could be just a matter of time. “Based on my experience, most of the customers in the GCC lack the fully integrate view of their cyber security frameworks. Most of these organisations are focused on having silos of solutions in place, which will never work, and are susceptible to ransomware attacks such as Petya,” says Jude Pereira, MD of Nangjel Solutions.

Eifert from DarkMatter echoes a similar opinion: “We have diverse IT systems in the region going through various stages of maturity, and the likelihood of infections is high.”

What should you do to protect against such attacks? Security experts from Group IB have the following tips:


  • Take technical steps to prevent Mimikatz and different privilege escalation techniques in Windows.


  • Install patch KB2871997.


  • Make sure that passwords of local admins accounts on workstations differ.


  • Change all password of domain privileged users and domain admins.


  • Unless you have patched all PCs in your corporate network, don’t allow your employees to connect their laptops to corporate LAN.


  • Consider disabling SMBv1 in your network.


Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


The free newsletter covering the top industry headlines