Digital Resilience Helps Mitigate or Prevent the ExPetr/NotPetya/ GoldenEye Malware

What is it?

The most recent malware campaign hitting Ukraine and the rest of the world is a wiper style malware which is packaged with several propagation mechanisms including the same weaponized Windows SMBv1 exploit utilized by WannaCry.  What was initially thought to be a variant of the 2016 Petya ransomware has now been shown to be a professionally developed cyber-attack masquerading as run-of-the-mill ransomware gone wild. In fact, security researchers have demonstrated that, despite demanding a ransom payment, the payload irreversibly wipes the hard drives of infected systems with no way to decrypt even if a ransom is paid to the specified wallet.

Purpose & Impact

The motivation behind the attack appears to be one of destruction and disruption. Indeed, it has had a devastating impact on enterprise’s operations world-wide as it is designed to rapidly spread throughout corporate networks, irreversibly wiping hard drive in its wake. The initial infection is believed to have targeted Ukrainian businesses and government, managing to wreak havoc in the country’s financial, manufacturing, and transportation industries. Even Chernobyl radiation monitoring systems were impacted, forcing technicians to switch to manual monitoring of radiation levels. ExPetr managed to quickly spread worldwide to thousands of computers in dozens of countries with significant disruption to major enterprises across industries as varied as shipping, pharmaceuticals, and law. Over 50% of the companies being attacked worldwide are in the industrial manufacturing or oil & gas sectors.

How it Spreads

Researchers have identified several distinct mechanisms utilized by the ExPetr malware to penetrate enterprises’ perimeter defenses for an initial infection as well as lateral movement after a successful compromise. The malware’s lifecycle is split into three distinct phases: 1) initial infection, 2) lateral movement, and finally 3) wiping the compromised system. The initial infection is believed to have spread by a malicious payload delivered through a highjacked auto-update mechanism of accounting software used by businesses in Ukraine. Alternatively, ExPetr has been observed to achieve initial infection through phishing and watering hole attacks. Next, once inside, the malware utilizes a different array of techniques to self-propagate and move laterally. Critically, ExPetr attempts to infect all accessible systems with the same Windows SMBv1 vulnerability as last month’s WannaCry attack over TCP ports 445 and 139. The malware is also able to spread laterally by deploying credential stealing packages in search of valid admin and domain credentials. It will leverage any stolen credentials to copy itself through normal Windows file transfer functionality (over TCP ports 445 and 139) and then remotely execute the copied file using the standard administrative tools, PSEXEC or WMIC.


Figure 1: Visualizing all accessible areas of the network from a compromised system.


How Digital Resilience Helps

Because one of the primary ways the ExPetr malware spreads is through the same Windows SMBv1 vulnerability addressed by Microsoft’s MS17-010 patch in March 2017, the same prevention and mitigation techniques described in depth in RedSeal’s WannaCry response are effective. To review:

  1. Assess and limit exposure by using an access query to discover any assets accessible through TCP ports 445 or 139 from untrusted networks like the Internet or a 3rd party.
  2. Identify vulnerable hosts and prioritize remediation efforts based on risk to the enterprise by importing vulnerability scanner findings and sorting based on risk score.
  3. Isolate critical assets and contain high risk or compromised systems by discovering and eliminating unnecessary access to or from sensitive areas of the network.
  4. Continuously monitor compliance with network segmentation policies by analyzing the relevant rules in RedSeal’s Zones & Policy.
  5. Accelerate incident response by reactively or proactively discovering the blast radius from a compromised system, understanding which assets are network-accessible and deploying the relevant mitigating controls.


Figure 2 Results of an access query revealing what access exists from all subnets leading to the critical assets over TCP 139 or 445.


While applying the MS17-010 patch to vulnerable systems per a risk-based prioritization of vulnerable hosts is necessary, it is not sufficient to mitigate or prevent infection. ExPetr moves laterally through normal file-transfer and administrative capabilities using stolen credentials. As such, it is important to also reduce the attack surface of production and other mission critical assets through sensible network segmentation techniques, paying close attention to access over ports 445 and 139. RedSeal users can accomplish this by running an access query to determine what can reach critical systems through the implicated ports. Next, access that is not necessary or out of compliance can be cut off by examining the detailed path to see all network devices touched along the path and determine the optimal placement of a network countermeasure, such as a firewall rule, to eliminate the unnecessary access.


Figure 3 Detailed Path from the DMZ to a critical asset is 6 hops long with several routers and firewalls along the way



Cyber attacks are getting more efficient, more aggressive, and more destructive. Only a digitally resilient organization with full visibility into their network composition and security posture can hope to avoid falling victim, or to mitigate fallout in the event of compromise. Reducing your attack surface is essential to decreasing risk. This can best be done by adhering to standard IT best practices including implementing a robust backup strategy, a vulnerability management program, and a segmented internal network. In this day and age, network segmentation and micro-segmentation are increasingly important as attackers and malware routinely get past perimeter defenses, and often move laterally with impunity due to a lack of internal boundaries. RedSeal helps customers gain visibility into their network as it is built today, providing assurance through continuous monitoring of compliance with network access and segmentation policies. With the increased visibility and understanding, digitally resilient organizations can perform risk-based prioritization of remediation and mitigation activity to efficiently marshal resources and minimize overall enterprise risk.

For more information on how RedSeal can help you become resilient, please contact

Petya: Recommendations for defense and remediation

The CyberWire | June 29, 2017

What can enterprises do, now, to protect themselves against Petya and the other, similar attacks soon to follow? This won’t be a one-time thing: WannaCry wasn’t, and it’s reasonable to expect fresh ransomware campaigns to keep coming, hard and fast. The attackers get a good return on investment from repurposing tools and exploits. There’s no reason to expect them to stop.

For your coverage of Petya, Ray Rothrock, CEO of RedSeal, said in an email, “It’s happening again. This time in a slightly different form and name, but it’s the same. A new strain of Petya malware is going after unpatched Windows systems via EternalBlue, the same stolen NSA tool exploited by WannaCry.”

Review: RedSeal offers powerful, passive network protection

CSO Online | June 26, 2017

When CSO’s sister site Network World conducted its firewall manager review, the original plan was to invite RedSeal to participate. The problem was that while RedSeal originally did manage firewalls, their product has now evolved into something else. RedSeal shares some similarities to firewall managers, but is now in a separate, unique product group. We tested the RedSeal appliance to see where it fits into cybersecurity defenses.

RedSeal today is a digital resilience platform designed to discover all network vulnerabilities, including those that go around firewalls, and map attack vectors so they can be fixed. It also tracks network health and provides an overall vulnerability score that can be monitored by either executives or IT staff.

3.5M vacant cybersecurity roles by 2021, Cybersecurity Ventures report

SC Magazine | June 7, 2017

A look out at the jobs landscape shows that over the next five years, positions in the cybersecurity field will triple, according to “The Cybersecurity Jobs Report,” sponsored by Herjavec Group.

The global information security advisory firm predicts that – largely owing to increases in cybercrime – the number of cybersecurity job openings will hit 3.5 million by 2021.

Cybersecurity Faces 1.8 Million Worker Shortfall By 2022

Dark Reading | June 7, 2017

Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released today.

Driving this widening shortage is not only the often discussed lack of qualified workers but also a greater need to bring in more warm bodies to tackle the rapidly evolving ways that cybercriminals and attackers are launching their nefarious activities, according to the report. It’s getting easier for low-tech criminals to get into hacking, thanks to malware-as-a-service operations and crimeware kits.

Cybersecurity Talent Shortage Set to Hit 3.5M by 2021

SiliconANGLE | June 6, 2017

If you’re looking for a tech job that will be in abundance in the years ahead, the cybersecurity marketplace will be the ideal place to find one, according to a newly published report on the employment prospects in the sector.

The report, from Cybersecurity Ventures Inc., found that the skills shortage will get a lot worse in the coming years. It predicts there will be a gap of 3.5 million positions globally by 2021. Of those unfilled positions, 1 million will be in India alone, with the United States experiencing half a million unfilled vacancies.

When it Comes to Network Resilience, It’s the Little Things that Count

GDPR.Report | June 1, 2017

By Dr. Mike Lloyd, RedSeal CTO

Cyber attacks are the new normal for businesses across the globe. When one hits home it can cause major monetary losses and reputational damage for organisations, from which some struggle to recover. Many CEOs have gotten the message, forced into action perhaps by strict new regulatory compliance requirements coming from Europe, or concrete evidence linking severe data breaches to tumbling share prices. That means many have invested in expensive digital security systems. But are they effective, or even necessary?