The cyberthreat intelligence (CTI) community has not yet agreed on attribution for the threat actor behind the NotPetya malware, but it is actively investigating. The apparent objective of NotPetya is to destroy infected computers, not necessarily to hold data ransom.

Hopefully, you have already invested in solid backups. But when it comes to further managing the risks associated with this ransomware, QRadar can help you right now.

Getting Started

First, install the QRadar NotPetya Content Pack and search for historical indicators. Then you can monitor in real time by watching for any NotPetya offenses. If you detect the malware, respond with the appropriate course of action.

QRadar already alerts you to ransomware. Your core security content is already watching for unnatural, lateral movement. When a known vulnerability is exploited, QRadar notifies you. There are other points of detection in the QRadar taxonomy as well, and your system is already monitoring for them. The solution can consume indicators from any site that supports STIX and TAXII, and the QRadar Threat Intelligence App makes it easy to keep up to date.

Threat data available from the IBM X-Force Exchange is generated from several teams within IBM, including our Incident Response and Intelligence Services (IRIS) team, Managed Security Services (MSS) team and X-Force, our reverse engineering team. These groups worked together to keep the indicators up to date in the X-Force Exchange NotPetya collection.

Monitoring for NotPetya

The NotPetya Content Pack enables real-time monitoring for the malware. From the moment of installation, if NotPetya is found, QRadar will generate an Offense.

With the NotPetya content pack installed, click on the Network Activity tab in QRadar. Then, in the top left, click the Edit Search tab. Select the saved search called “Petya/NotPetya FLOWS last 24 hours” and select Load. Next, scroll down to the bottom and select Search. If you receive no results, that is a good thing: You do not have any systems containing NotPetya indicators. Repeat these steps for the other saved searches that start with the name NotPetya in the Network Activity and Log Activity tabs.

If you do see either results from the historical search or an Offense from real-time monitoring signifying that NotPetya was detected, you should try to get a view of the screen of that Windows host so that you can validate the alert. Do this for every host that appears to be infected.

A large, global organization might have to consult a third party to confirm a malware infection. You will likely not be able to remotely access the host. Once the infection is confirmed, execute your runbook for ransomware. Take the box offline so that it cannot infect other machines that connect to it.

Note that this variant does not actively scan for other Windows hosts, but waits for other hosts to connect inbound while doing standard Windows business. Business owners might complain that the box is too important to be taken down, which is why it has been running for so long, perhaps unpatched. Be prepared to discuss the cost of keeping this brittle software versus the benefit of removing the infection points. An infected NotPetya host is going to effectively be offline after the hard drive is encrypted anyway, and the opportunity cost of that downtime is likely to be more expensive than simple patches.

Managing the Risk

If possible, take a forensic image of the memory and hard drive, and share it with your endpoint forensics team for further analysis. Then, repartition the hard drive, format and reinstall. Patch your systems with the latest updates so that you are not vulnerable to the same exploit again. In addition to your systems, keep your indicators up to date. Be sure to configure QRadar to pull down the latest indicator updates.

Change any account passwords on this host — especially the local administrator password — because some NotPetya variants actively ran mimikatz and dumped passwords. Once your passwords are stolen, this variant tries to silently move laterally throughout your network and does not launch the EternalBlue exploit.

Restore any important data from backups. Verify that your firewalls are blocking server message block (SMB) traffic between your established zones to help contain lateral movement. Finally, inspect the other Windows boxes in that same zone for signs of infection.

Of course, there may be more NotPetya variants in the future. With the disclosure of so many vulnerabilities from nation-state actors, and the appearance of WannaCry and NotPetya, we’re not out of these booming thunderstorms quite yet.

Fighting Petya at Ground Zero: An Interview with Dmytro Kyselyov of IBM Ukraine

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…