After Wannacry, Petya. And a key innovation.

After the Wannacry ransomware attack last month, a new ransomware attack is underway that goes by the name Petya (or NotPetya, depending on vendor).

Key enablers for the success of this attack across hundreds of organizations worldwide:

  • once executed on a single machine within a Windows network, automatic propagation via Windows network (SMB protocol) using WMI or Psexec tools. For ex., if the ransomware is run on a computer by a domain admin, it has the potential to spread practically unhindered over the LAN network (port 445) until it brings down all computers in a Windows domain environment. This is a real innovation compared to Wannacry, as Petya relies on authorized remote execution, not only on security exploits (i.e. bypassing authorization).
  • Of course, as with Wannacry, to increase effectiveness this attack also uses the exploit for Microsoft vulnerability MS17-010, which allows automatic code execution without user interaction (so-called wormable exploit), again using SMB port 445.
  • Early reports (not entirely confirmed yet) point to a supply chain attack, where initial infections were enabled via delivery of a regular upgrade for a financial software made by the Ukrainian company – M.E.Doc. Apparently, this software upgrade was made available by the company to all its customers.

Notice how the SMB protocol (port 445) is again the crucial facilitator which makes this attack so successful. The Windows computer management model based on SMB transport is the industry standard since Windows NT (a long time). In fact, Windows domain networks with Group policy management all rely heavily on the direct availability of managed computers via TCP port 445, running the SMB protocol.

In light of these ransomware attacks, perhaps it’s time to consider alternative ways of managing endpoints or at least stop relying on incoming SMB protocol availability on endpoint computers?