Light Dark
July 19, 2017 By Peter Szczepankiewicz 3 min read
Intelligence & Analytics

The cyberthreat intelligence (CTI) community has not yet agreed on attribution for the threat actor behind the NotPetya malware, but it is actively investigating. The apparent objective of NotPetya is to destroy infected computers, not necessarily to hold data ransom.

Hopefully, you have already invested in solid backups. But when it comes to further managing the risks associated with this ransomware, QRadar can help you right now.

Getting Started

First, install the QRadar NotPetya Content Pack and search for historical indicators. Then you can monitor in real time by watching for any NotPetya offenses. If you detect the malware, respond with the appropriate course of action.

QRadar already alerts you to ransomware. Your core security content is already watching for unnatural, lateral movement. When a known vulnerability is exploited, QRadar notifies you. There are other points of detection in the QRadar taxonomy as well, and your system is already monitoring for them. The solution can consume indicators from any site that supports STIX and TAXII, and the QRadar Threat Intelligence App makes it easy to keep up to date.

Threat data available from the IBM X-Force Exchange is generated from several teams within IBM, including our Incident Response and Intelligence Services (IRIS) team, Managed Security Services (MSS) team and X-Force, our reverse engineering team. These groups worked together to keep the indicators up to date in the X-Force Exchange NotPetya collection.

Monitoring for NotPetya

The NotPetya Content Pack enables real-time monitoring for the malware. From the moment of installation, if NotPetya is found, QRadar will generate an Offense.

With the NotPetya content pack installed, click on the Network Activity tab in QRadar. Then, in the top left, click the Edit Search tab. Select the saved search called “Petya/NotPetya FLOWS last 24 hours” and select Load. Next, scroll down to the bottom and select Search. If you receive no results, that is a good thing: You do not have any systems containing NotPetya indicators. Repeat these steps for the other saved searches that start with the name NotPetya in the Network Activity and Log Activity tabs.

If you do see either results from the historical search or an Offense from real-time monitoring signifying that NotPetya was detected, you should try to get a view of the screen of that Windows host so that you can validate the alert. Do this for every host that appears to be infected.

A large, global organization might have to consult a third party to confirm a malware infection. You will likely not be able to remotely access the host. Once the infection is confirmed, execute your runbook for ransomware. Take the box offline so that it cannot infect other machines that connect to it.

Note that this variant does not actively scan for other Windows hosts, but waits for other hosts to connect inbound while doing standard Windows business. Business owners might complain that the box is too important to be taken down, which is why it has been running for so long, perhaps unpatched. Be prepared to discuss the cost of keeping this brittle software versus the benefit of removing the infection points. An infected NotPetya host is going to effectively be offline after the hard drive is encrypted anyway, and the opportunity cost of that downtime is likely to be more expensive than simple patches.

Managing the Risk

If possible, take a forensic image of the memory and hard drive, and share it with your endpoint forensics team for further analysis. Then, repartition the hard drive, format and reinstall. Patch your systems with the latest updates so that you are not vulnerable to the same exploit again. In addition to your systems, keep your indicators up to date. Be sure to configure QRadar to pull down the latest indicator updates.

Change any account passwords on this host — especially the local administrator password — because some NotPetya variants actively ran mimikatz and dumped passwords. Once your passwords are stolen, this variant tries to silently move laterally throughout your network and does not launch the EternalBlue exploit.

Restore any important data from backups. Verify that your firewalls are blocking server message block (SMB) traffic between your established zones to help contain lateral movement. Finally, inspect the other Windows boxes in that same zone for signs of infection.

Of course, there may be more NotPetya variants in the future. With the disclosure of so many vulnerabilities from nation-state actors, and the appearance of WannaCry and NotPetya, we’re not out of these booming thunderstorms quite yet.

Fighting Petya at Ground Zero: An Interview with Dmytro Kyselyov of IBM Ukraine

 |  |  |  |  |  |  | 
Peter Szczepankiewicz
Offering Manager, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature