The cyberthreat intelligence (CTI) community has not yet agreed on attribution for the threat actor behind the NotPetya malware, but it is actively investigating. The apparent objective of NotPetya is to destroy infected computers, not necessarily to hold data ransom.

Hopefully, you have already invested in solid backups. But when it comes to further managing the risks associated with this ransomware, QRadar can help you right now.

Getting Started

First, install the QRadar NotPetya Content Pack and search for historical indicators. Then you can monitor in real time by watching for any NotPetya offenses. If you detect the malware, respond with the appropriate course of action.

QRadar already alerts you to ransomware. Your core security content is already watching for unnatural, lateral movement. When a known vulnerability is exploited, QRadar notifies you. There are other points of detection in the QRadar taxonomy as well, and your system is already monitoring for them. The solution can consume indicators from any site that supports STIX and TAXII, and the QRadar Threat Intelligence App makes it easy to keep up to date.

Threat data available from the IBM X-Force Exchange is generated from several teams within IBM, including our Incident Response and Intelligence Services (IRIS) team, Managed Security Services (MSS) team and X-Force, our reverse engineering team. These groups worked together to keep the indicators up to date in the X-Force Exchange NotPetya collection.

Monitoring for NotPetya

The NotPetya Content Pack enables real-time monitoring for the malware. From the moment of installation, if NotPetya is found, QRadar will generate an Offense.

With the NotPetya content pack installed, click on the Network Activity tab in QRadar. Then, in the top left, click the Edit Search tab. Select the saved search called “Petya/NotPetya FLOWS last 24 hours” and select Load. Next, scroll down to the bottom and select Search. If you receive no results, that is a good thing: You do not have any systems containing NotPetya indicators. Repeat these steps for the other saved searches that start with the name NotPetya in the Network Activity and Log Activity tabs.

If you do see either results from the historical search or an Offense from real-time monitoring signifying that NotPetya was detected, you should try to get a view of the screen of that Windows host so that you can validate the alert. Do this for every host that appears to be infected.

A large, global organization might have to consult a third party to confirm a malware infection. You will likely not be able to remotely access the host. Once the infection is confirmed, execute your runbook for ransomware. Take the box offline so that it cannot infect other machines that connect to it.

Note that this variant does not actively scan for other Windows hosts, but waits for other hosts to connect inbound while doing standard Windows business. Business owners might complain that the box is too important to be taken down, which is why it has been running for so long, perhaps unpatched. Be prepared to discuss the cost of keeping this brittle software versus the benefit of removing the infection points. An infected NotPetya host is going to effectively be offline after the hard drive is encrypted anyway, and the opportunity cost of that downtime is likely to be more expensive than simple patches.

Managing the Risk

If possible, take a forensic image of the memory and hard drive, and share it with your endpoint forensics team for further analysis. Then, repartition the hard drive, format and reinstall. Patch your systems with the latest updates so that you are not vulnerable to the same exploit again. In addition to your systems, keep your indicators up to date. Be sure to configure QRadar to pull down the latest indicator updates.

Change any account passwords on this host — especially the local administrator password — because some NotPetya variants actively ran mimikatz and dumped passwords. Once your passwords are stolen, this variant tries to silently move laterally throughout your network and does not launch the EternalBlue exploit.

Restore any important data from backups. Verify that your firewalls are blocking server message block (SMB) traffic between your established zones to help contain lateral movement. Finally, inspect the other Windows boxes in that same zone for signs of infection.

Of course, there may be more NotPetya variants in the future. With the disclosure of so many vulnerabilities from nation-state actors, and the appearance of WannaCry and NotPetya, we’re not out of these booming thunderstorms quite yet.

Fighting Petya at Ground Zero: An Interview with Dmytro Kyselyov of IBM Ukraine

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today