Beat Petya/NotPetya with QRadar® SIEM

Another month, another attack. No sooner had the world started to recover from notorious WannaCry cyberattack than another one, dubbed NotPetya, broke out.

Fortunately, IBM Security keeps their finger on the pulse, as they addressed the threat the same day it emerged. Promptly enough, isn’t it? On June 27, 2017, a new Petya ransomware content extension (v1.1) for IBM® Security QRadar® SIEM was released.

You may have noticed the discrepancy between the name of the attack and the name of the QRadar extension. Let’s dot the i’s and cross the t’s then.

Petya or NotPetya: that is the question

Initially, the blame for a new ransomware outbreak was put on Petya malware, because a lot in the new attack had already been experienced in 2016 Petya invasion: rebooting a victim’s computer, encrypting the hard drive’s master file table (MFT), encrypting the Master Boot Record (MBR) and finally presenting a CHKDSK screen followed by a ransom demand screen.

However, according to Kaspersky Lab, the new ransomware, which infected 2,000 organizations the least, is a different version of Petya (hence, the name is NotPetya). The recent ransomware also encompasses the capabilities of WannaCry. Particularly, it utilizes NSA APT ExternalBlue Exploit, which targets Windows Server Message Block (SMB) vulnerability. NotPetya appears to be more deleterious than its predecessors, as it renders the infected system unbootable. That means, even if victims pay the $300 worth ransom and get the decryption key, they won’t be able to use it, because their computers are disabled. Moreover, there is no kill switch that may allow security professionals to neuter the ransomware.

What makes matters worse, NotPetya is widely available on the darknet as ransomware-as-a-service, and that paves the way for further attacks even by non-tech adventurers.

Although Petya and Not Petya have differences in the way they work, the latter one belongs to Petya ransomware family, so a lot of SIEM services providers refer to both as Petya ransomware. Further in the text, we will use Petya for both Petya and NotPetya malware.

IBM® Security response

IBM® security’s counterstroke against Petya’s offspring was to put forward a new Petya ransomware content extension (v1.1) for QRadar, which gives early warnings about ransomware threats.

What’s new?

The QRadar extension boasts the following new features:

• Prepopulated IOCs (indicators of compromise) in four reference sets (Petya_FileName, Petya_FileHash, Petya_HostName, Petya_IP). Security analysts integrate IOC data in reference sets to detect suspicious behavior faster. For example, when the SIEM system receives a log featuring Petya’s filename, it triggers a custom rule that checks if the reference set Petya_FileName has such a name. If so, QRadar generates an offense.
• Petya related building blocks (BBs) are included (Petya Event File Hash, Petya Event File Name, Petya Event Host Name, Petya Flow Payload, Petya IP Found, Petya QNI File Hash, Petya QNI File Name, Petya QNI Host). BBs ensure that appropriate rules are triggered. For example, Petya QNI Host BB will guarantee that Petya associated hosts are covered by a particular QRadar rule.
• Custom flow rule based on Petya building blocks and reference sets have been added. It is used to detect highly suspicious activity on port 445 (provides SMB over TCP), high possibility of Ransomware, high possibility of Petya.
• Four saved searches added:
• Petya FLOWS last 24 hours in Network Activity
• Potential Ransomware (Suspicious activity, Possible Petya) in Network Activity
• Petya Event "Hostname" Last 24 Hours in Log Activity
• Petya Event "File Hash" Last 24 Hours in Log Activity

Actions recommended

To mitigate NotPetya ransomware outbreak, security administrators should follow these recommendations:

• Install third party software which calculates hash values of running processes (Sysinternals process explorer, Hash Generator, HashMyFiles, etc.). Such software monitors the integrity of files. Modified hash values in files are the sign of a malware attack.
• Install QFlow Collector (a component which collects a traffic flow) into QRadar solution or, if hosted remotely, connect it to the SIEM system. Receiving traffic flows, QFlow Collector captures the payload in which ransomware signature may be found.
• Download the Petya ransomware content pack from IBM X-Force Exchange and integrate it with QRadar.

These measures will help your QRadar SIEM system to detect and respond to the Petya attack quickly and efficiently.