The cyberthreat intelligence (CTI) community has not yet agreed on attribution for the threat actor behind the NotPetya malware, but it is actively investigating. The apparent objective of NotPetya is to destroy infected computers, not necessarily to hold data ransom.

Hopefully, you have already invested in solid backups. But when it comes to further managing the risks associated with this ransomware, QRadar can help you right now.

Getting Started

First, install the QRadar NotPetya Content Pack and search for historical indicators. Then you can monitor in real time by watching for any NotPetya offenses. If you detect the malware, respond with the appropriate course of action.

QRadar already alerts you to ransomware. Your core security content is already watching for unnatural, lateral movement. When a known vulnerability is exploited, QRadar notifies you. There are other points of detection in the QRadar taxonomy as well, and your system is already monitoring for them. The solution can consume indicators from any site that supports STIX and TAXII, and the QRadar Threat Intelligence App makes it easy to keep up to date.

Threat data available from the IBM X-Force Exchange is generated from several teams within IBM, including our Incident Response and Intelligence Services (IRIS) team, Managed Security Services (MSS) team and X-Force, our reverse engineering team. These groups worked together to keep the indicators up to date in the X-Force Exchange NotPetya collection.

Monitoring for NotPetya

The NotPetya Content Pack enables real-time monitoring for the malware. From the moment of installation, if NotPetya is found, QRadar will generate an Offense.

With the NotPetya content pack installed, click on the Network Activity tab in QRadar. Then, in the top left, click the Edit Search tab. Select the saved search called “Petya/NotPetya FLOWS last 24 hours” and select Load. Next, scroll down to the bottom and select Search. If you receive no results, that is a good thing: You do not have any systems containing NotPetya indicators. Repeat these steps for the other saved searches that start with the name NotPetya in the Network Activity and Log Activity tabs.

If you do see either results from the historical search or an Offense from real-time monitoring signifying that NotPetya was detected, you should try to get a view of the screen of that Windows host so that you can validate the alert. Do this for every host that appears to be infected.

A large, global organization might have to consult a third party to confirm a malware infection. You will likely not be able to remotely access the host. Once the infection is confirmed, execute your runbook for ransomware. Take the box offline so that it cannot infect other machines that connect to it.

Note that this variant does not actively scan for other Windows hosts, but waits for other hosts to connect inbound while doing standard Windows business. Business owners might complain that the box is too important to be taken down, which is why it has been running for so long, perhaps unpatched. Be prepared to discuss the cost of keeping this brittle software versus the benefit of removing the infection points. An infected NotPetya host is going to effectively be offline after the hard drive is encrypted anyway, and the opportunity cost of that downtime is likely to be more expensive than simple patches.

Managing the Risk

If possible, take a forensic image of the memory and hard drive, and share it with your endpoint forensics team for further analysis. Then, repartition the hard drive, format and reinstall. Patch your systems with the latest updates so that you are not vulnerable to the same exploit again. In addition to your systems, keep your indicators up to date. Be sure to configure QRadar to pull down the latest indicator updates.

Change any account passwords on this host — especially the local administrator password — because some NotPetya variants actively ran mimikatz and dumped passwords. Once your passwords are stolen, this variant tries to silently move laterally throughout your network and does not launch the EternalBlue exploit.

Restore any important data from backups. Verify that your firewalls are blocking server message block (SMB) traffic between your established zones to help contain lateral movement. Finally, inspect the other Windows boxes in that same zone for signs of infection.

Of course, there may be more NotPetya variants in the future. With the disclosure of so many vulnerabilities from nation-state actors, and the appearance of WannaCry and NotPetya, we’re not out of these booming thunderstorms quite yet.

Fighting Petya at Ground Zero: An Interview with Dmytro Kyselyov of IBM Ukraine

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…