The Vault

A closer look at NotPetya actions after it infected one endpoint

There’s been a lot of talk about how NotPetya made it onto corporate networks in late June. There were two main vectors: attachments in phishing emails and an infected update from tax software made by a Ukrainian company. But how did the ransomware spread after it infected just one endpoint? It had two options: the “flat network” exploit and the “stolen NSA tech” path. The former seems to have been the one most frequently used.

The “Flat Network” Exploit

Far too many companies have flat network structures. An administrator on one endpoint can remotely control and access other endpoints. Admins have carte blanche, and can basically dive into any machine at the company. From a security perspective, this is a terrible setup. NotPetya took full advantage of it.

Landing on an admin’s endpoint was as easy for NotPetya as landing on any other endpoint. Once in, it used a modified version of open-source Mimikatz to sniff out admin credentials on the machine’s running memory and then used PsExec and WMIC to infect the endpoint. After that, it could scan subnets for other devices or, if it was 

on a domain controller, the DHCP service to identify hosts. It jumped to other endpoints until the entire network was done for.

The “Stolen NSA tech” Method

NotPetya could infect additional endpoints on a network if they weren’t sporting the latest Windows security updates. It used the NSA’s stolen and leaked EternalBlue (also used by WannaCry) and EternalRomance SMB exploits to inject malicious code into other machines.

If you’re wondering how to prepare for future ransomware attacks, we’ve got a few pointers:

• Patch your computers to stop Server Message Block (SMB) exploits.
• Disable SMBv1 on every endpoint
• If you’re not using a network overlay platform like Vaultize, block outside access to SMB-associated ports 137, 138, 139 and 445 to prevent unwanted traffic through your firewall.
• Ensure Windows 10's Credentials Guard is working properly on all endpoints
• Create a read-only file C:\Windows\perfc.dat, which can thwart key functions of NotPetya and other ransomware versions.
• Unless it’s critical, don’t immediately download and install updates to widely-used programs that might have domain admin access or on endpoints with domain admin access. Wait to see users at other companies report issues.
• Carefully examine your network structure. Is it “flat”? Do network administrators have carte blanche, and can they access and control other endpoints from theirs? If so, change your structure so if their machine is infected, ransomware can’t sniff out credentials and spread.

No matter how careful you are, it’s very unlikely that you’ll never be a victim of ransomware. There are so many attack vectors criminals can use to get in, and they’re always finding new, sneaky ways to infect endpoints. What you really need is a solid ransomware recovery plan.

The simplest and quickest way to recover from ransomware is endpoint backup and restore.

With Vaultize’s endpoint backup and restore features, you’ll be able to frequently back up data on endpoints to a safe, off-network location. You’ll also be able to encrypt your “crown jewels” and wrap them in DRM. Furthermore, your entire staff can regularly upload new file versions to secure, cloud-based vaults with collaboration tools. If endpoints need to be temporarily or permanently shut down after a ransomware attack, you won’t lose productivity because users can still access current file versions via a web/cloud-based client.