Join our EDU-210: Configuration- and Cyberthreat Management training to learn more on how to protect your network effectively
or let us know if we can help you.
Stage 1 - initial infection of the first device
In the first stage a device gets infected with malware. In case of Petya, there is no proof yet on how the initial infection exactly happend. There are numerous possibilities like for instance a malicious Word document distributed in phishing e-mails which is the classical threat vector for ransomware these days. However based on what we have seen so far, with so many attacks happening at the same time, it is hard to believe that users in so many companies opened a malicious e-mail attachment and nobody has evidence of these e-mails. My personal theory is that the threat actor behind Petya simply bought access to devices which were already infected with malware and with this was able to check if the Microsoft patch was already deployed in its victims network. This wouldn't be unusual as today's cybercrime is very well organise with hackers specialising on specific attacks like infecting devices, deploying a remote access Trojan and then selling the access to others. What is clear in any case, is that you have to protect your network from the initial infection. So let's explore the most common possibility.
Stage 2 - distribution of the malware inside the network
The real problem starts at stage two. Once the first device in your network is infected or an already compromised machine connects to your network, then it will scan the entire network for devices which a vulnerable to the EternalBlue exploit (CVE-2017-0143 to 0148). Once it has found new victims, which is effectively every Windows machine not patched with MS17-010, it implants the DoublePulsar backdoor to install the Petya ransomware and this time the user on the new victims machine doesn't have to do anything which means the domino effect starts and it is spreading everywhere bringing your company's IT operation to a hold.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.