Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

How to Stop NotPetya and Similar Ransomware from Spreading in the Network

NotPetya, a recent malware, masquerading as the known Petya ransomware started wreaking havoc at a world scale last week. Initially, it looked like another wave in the malware storm that started with Shadow Brokers’ publication of EternalBlue and other zero-day vulnerabilities in Windows OS. And, in fact, NotPetya used EternalBlue as one of the lateral movement methods in its arsenal. But, apparently, the developers of NotPetya wanted to hit some high-value targets and the risk that these networks had already been fully patched would have ruined their attack.Stop NotPetya Ransomware

To overcome this hurdle, it seems that the developers of NotPetya ransomware used good-old hacking techniques and used a modified version of open-source Mimikatz tool to steal passwords and password hashes that are stored in machine’s memory and infect other machines in the network using PsExec with pass-the-hash and other credential theft techniques. As Avi Kama mentioned in his insightful blog, once an attacker is inside the network, he is likely to use stolen credentials and use Active Directory to infect other machines in the network. The fact that Mimikatz software and pass-the-hash have been around for some time should raise serious alerts – how come this type of attack is so successful? What should security professionals do to protect their network?

Here are 4 things security teams can do to prevent these type of attacks from hitting their networks:

  1. Basic Protection

    This has been discussed in great detail pretty much everywhere. Always make sure all your systems are patched with the most recent updates. In addition, you should probably use some sort of endpoint protection solution. Combining these two will probably be helpful thwarting 95% of the attack (those that are less targeted and sophisticated)

  2. Detection is not enough

    Some security products offer advanced threat detection. But sadly, detection alone is not enough in such cases. As mentioned in a previous blog, all it takes to cause serious harm to your network is a few minutes. By the time you see the alerts in your security analytics solution or SIEM, the NotPetyas of the world will have already scrambled all your data. To really stop such attacks you need a security product that integrates real-time response upon detection of suspicious activity.

  3. Pass-the-hash happens due to bad security practices

    Pass-the-hash and other credential theft techniques happen when high privilege user accounts aren’t secured properly. Some admins aren’t aware of where their credentials are circulating. If you’re an admin, the laptop that you helped install a printer on, the mobile phone you use to download emails, the machine that runs scripts with your user account – all of these are potential targets that could be used to steal your credentials. Microsoft issued a comprehensive manual on how to properly secure privileged accounts and stop pass-the-hash – I strongly suggest you read it. A User and Entity Behavior Analytics (UEBA) software solution can assist with analyzing the behavior and risk of each privileged account and find use-cases where best security practices aren’t applied at your organization and give you the opportunity to fix issues before it is too late.

  4. Protect your privileged accounts

    Privileged accounts require stronger protection. As previously mentioned, being able to respond in real-time to potential threats is critical. When privileged accounts are used in an anomalous manner, you want to be able to force a Multi-Factor Authentication (MFA) step in addition to the password verification. When the credentials are used in the usual manner, the user would be available to approve the activity. But in case of malware, moving laterally in the network, using stolen credentials, the MFA will not be answered and the attack would simply be blocked.

To learn how Preempt can help your organization have better visibility into privileged accounts and to implement real-time response to threats, you can watch this video.


Topics: Adaptive Response, Credential Compromise, Ransomware, ueba,

Posted by Yaron Zinar on July 5, 2017 2:06 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More