Light Dark
July 19, 2017 By Peter Szczepankiewicz 3 min read
Intelligence & Analytics

The cyberthreat intelligence (CTI) community has not yet agreed on attribution for the threat actor behind the NotPetya malware, but it is actively investigating. The apparent objective of NotPetya is to destroy infected computers, not necessarily to hold data ransom.

Hopefully, you have already invested in solid backups. But when it comes to further managing the risks associated with this ransomware, QRadar can help you right now.

Getting Started

First, install the QRadar NotPetya Content Pack and search for historical indicators. Then you can monitor in real time by watching for any NotPetya offenses. If you detect the malware, respond with the appropriate course of action.

QRadar already alerts you to ransomware. Your core security content is already watching for unnatural, lateral movement. When a known vulnerability is exploited, QRadar notifies you. There are other points of detection in the QRadar taxonomy as well, and your system is already monitoring for them. The solution can consume indicators from any site that supports STIX and TAXII, and the QRadar Threat Intelligence App makes it easy to keep up to date.

Threat data available from the IBM X-Force Exchange is generated from several teams within IBM, including our Incident Response and Intelligence Services (IRIS) team, Managed Security Services (MSS) team and X-Force, our reverse engineering team. These groups worked together to keep the indicators up to date in the X-Force Exchange NotPetya collection.

Monitoring for NotPetya

The NotPetya Content Pack enables real-time monitoring for the malware. From the moment of installation, if NotPetya is found, QRadar will generate an Offense.

With the NotPetya content pack installed, click on the Network Activity tab in QRadar. Then, in the top left, click the Edit Search tab. Select the saved search called “Petya/NotPetya FLOWS last 24 hours” and select Load. Next, scroll down to the bottom and select Search. If you receive no results, that is a good thing: You do not have any systems containing NotPetya indicators. Repeat these steps for the other saved searches that start with the name NotPetya in the Network Activity and Log Activity tabs.

If you do see either results from the historical search or an Offense from real-time monitoring signifying that NotPetya was detected, you should try to get a view of the screen of that Windows host so that you can validate the alert. Do this for every host that appears to be infected.

A large, global organization might have to consult a third party to confirm a malware infection. You will likely not be able to remotely access the host. Once the infection is confirmed, execute your runbook for ransomware. Take the box offline so that it cannot infect other machines that connect to it.

Note that this variant does not actively scan for other Windows hosts, but waits for other hosts to connect inbound while doing standard Windows business. Business owners might complain that the box is too important to be taken down, which is why it has been running for so long, perhaps unpatched. Be prepared to discuss the cost of keeping this brittle software versus the benefit of removing the infection points. An infected NotPetya host is going to effectively be offline after the hard drive is encrypted anyway, and the opportunity cost of that downtime is likely to be more expensive than simple patches.

Managing the Risk

If possible, take a forensic image of the memory and hard drive, and share it with your endpoint forensics team for further analysis. Then, repartition the hard drive, format and reinstall. Patch your systems with the latest updates so that you are not vulnerable to the same exploit again. In addition to your systems, keep your indicators up to date. Be sure to configure QRadar to pull down the latest indicator updates.

Change any account passwords on this host — especially the local administrator password — because some NotPetya variants actively ran mimikatz and dumped passwords. Once your passwords are stolen, this variant tries to silently move laterally throughout your network and does not launch the EternalBlue exploit.

Restore any important data from backups. Verify that your firewalls are blocking server message block (SMB) traffic between your established zones to help contain lateral movement. Finally, inspect the other Windows boxes in that same zone for signs of infection.

Of course, there may be more NotPetya variants in the future. With the disclosure of so many vulnerabilities from nation-state actors, and the appearance of WannaCry and NotPetya, we’re not out of these booming thunderstorms quite yet.

Fighting Petya at Ground Zero: An Interview with Dmytro Kyselyov of IBM Ukraine

 |  |  |  |  |  |  | 
Peter Szczepankiewicz
Offering Manager, IBM

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature