Tuesday’s ransomware outbreak hit many businesses and government entities around the world, but by far the most numerous victims are located in Ukraine.
The infection process
The delivered malware was not, as initially believed, the original Petya ransomware or the previously seen variant PetrWrap.
NotPetya, as this new threat was dubbed, is definitely made to look like Petya, and uses some of its code, but has its own specific characteristics:
According to Kaspersky Lab researchers, it waits for 10 to 60 minutes after the infection to reboot the system, and once that’s done, it begins encrypting the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.
NotPetya uses a 128-bit AES key to encrypt files on the infected PC (the same key is used for all the files), then encrypts that key with a public 2048-bit RSA key, and saves it to a README file. In theory, after the ransom is paid, the attackers can use their private RSA key to decrypt the stored AES key, and the victims can use it to restore their files.
“We found that the ransomware doesn’t encrypt the entirety of your files with matching extensions, but instead encrypts up to the first mebibyte of data. This is done presumably to save time during the encryption process, but also ensures that enough of the file is encrypted to be unlikely to restore without paying the ransom,” Webroot’s threat research analyst Tyler Moffitt noted.
NotPetya’s spreading mechanisms
NotPetya uses a a variety of techniques to break into networks and spread through them, from computer to computer.
“Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations,” FireEye researchers shared.
“The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: ‘On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!'”
“Our initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems”, they added.
It seems that the attackers didn’t want to rely simply on the EternalBlue and EternalRomance SMB exploits to spread the malware within networks.
MimiKatz was used to extract network administrator credentials from infected machines’ running memory. And Windows PSExec and Windows Management Instrumentation (WMI) – system management tools usually found on enterprise Windows computers – were used to remotely compromise other systems on the local network.
There are also reports that the malware might have been delivered via booby-trapped phishing emails, but if they turn out to be true, this delivery method was not of primary importance.
What can you do?
If your organization hasn’t been hit by the malware, this is the perfect time to install the patch for EternalBlue and EternalRomance (MS17-010) provided by Microsoft in March.
But that will not be enough.
“Even if a server is patched, if the System Administrator’s laptop becomes infected with Petya ransomware, it can use those admin credentials to jump around in a network to the servers,” WhiteHat Security’s Ryan O’Leary explained.
“If a widely used administrative credential is compromised, it could very quickly be game over for many systems regardless of whether the patch for MS17-010 has been applied or not,” Arbor Networks researchers have noted.
In many enterprises, they pointed out, typical remote administration activities via PSExec and WMI will not be blocked and will likely fly under the radar.
“Avoid any false sense of security that may derive from patching MS17-010 and heed the longstanding calls for appropriate network segmentation to limit the damage from Petya and other malware,” they advised.
Microsoft has more advice on what to do if you’ve already been hit with the ransomware.
Also, there’s currently a way to prevent the current strain of the malware from running on computers:
98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and #petya #Nopetya won't run! SHARE!! https://t.co/0l14uwb0p9
— Amit Serper (@0xAmit) June 27, 2017
You can find a step-by-step guide here.
Who’s behind this latest attack?
At first glance, it seems like a simple ransomware-spreading attack mounted by cyber criminals that are after money.
But the fact that the monetization mechanism has been easily thwarted – the email through which the victims are supposed to get in touch with the attackers and confirm the paying of the ransom has been shut down – makes researchers believe that making money wasn’t the primary goal.
Add to this the fact that Ukraine victims are the most numerous and high-profile, that the attack hit a a day before a Ukraine national holiday (Constitution Day), and it very much seems like the main goal of the attack was to wreak havoc.
Fingers have been pointed towards Russian hackers as the culprits, but concrete evidence for such accusations could ultimately never be found.
Another important unknown at this point is if NonPetya is a component of a more elaborate attack, noted Daniel Miessler, IOActive director of advisory services.
“Is what we’re seeing now intended to be a compelling distraction?” he wonders.
Some reports have noted that in some cases, the ransomware was also accompanied by information-stealing malware.
While you’re here, check out:
- A guide on how to prevent ransomware from Stephen Rouine, Cyber Risk and Cloud Security Consultant at BH Consulting.
- eBook: Defending against crypto-ransomware from Netwrix.