We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. With echoes of WannaCry, infections spread fast. The research is still in progress -Some security researchers describe malware as variant of Petya; others say it’s a brand new sample. The low-level attack works in the same style as the first Petya. The ransomware has been wreaking havoc across the globe this week, locking hard drive MFT and MBR sections and preventing computers from booting. The massive outbreak of not-really ransomware that has caused significant damage to both Ukrainian targets and strategic global logistics companies.Where WannaCry focused on poorly patched systems, Petya seems to have hit hardest among large corporate networks. This new outbreak once again highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged. Hackers are targeting those that cannot afford to have downtime.
Ukraine was hardest hit by the attack, which came one day before the country’s Constitution Day. It seem that this was a straight forward cyber attack with a target space of basically every company that does business in Ukraine. Ukraine were affected, including those at hospitals, airports, and even at the Chernobyl plant. In Ukraine, the hardest hit nation in Tuesday’s outbreak, the ransomware spread across government institutions, banks and even radiation monitoring at the Chernobyl nuclear facility. While the finance sector was hit hardest, more than 50 percent of the remaining targets fell into the categories of manufacturing or oil and gas. The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl’s radiation monitoring system, and other machines in the country.
Also other countries were affected as the virus has also spread internationally. The Petya/NotPetya attack hit a total of 65 countries in first 24 hours, including Belgium, Brazil, Germany, Russia, and the United States, Microsoft reveals. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others. Rosneft, the giant Russian energy firm was also infected, but they could continue their operations by simply switching to their backup system -suffered no downtime or outages.
Danish shipping and energy company Maersk reported a cyberattack on Tuesday. Maersk, the world’s largest shipping company reported systems down across multiple sites: Maersk has largely gone back to operating manually after malware attack. Some experts are calling this a “Y2K moment” for the shipping industry.
This has no killswitch, and it looks like they had a development budget. While initial analysis suggested that this was a Petya-powered ransomware attack similar to WannaCry, further investigation revealed that the malware is actually designed to overwrite the master boot record (MBR) of compromised machines. There is no way to recover encrypted files, even if the ransom is paid. Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options. The hackers behind the cyberattack have received less than $10,000 from victims.
It seems that this is definitely not designed to make money. Research by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack. There are at least three issues (post MBR sector corruption, random garbage installation ID, buggy encryption code) that indicate successful decryption of an infected computer was not a developer priority.Once the malware takes hold of a computer, it waits 10 to 60 minutes to reboot the infected computers.
What’s the difference between a wiper and a ransomware? The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. It looks like the Petya/NotPetya attack was pretending to be a ransomware while being in fact a nation state attack.
This ransomware variant is coded to erase a unique and randomly generated key that is used to encrypt the MFT (Master File Table). It seems that it very unlikely that users can receive a working decryption key. The e-mail service which hosted the address which victims were instructed to send payment to has closed the account so trying to pay the ransom will result in a returned e-mail. Also the victim ID is just trash.
The code is well written, obfuscated to protect against AV detection using at least two techniques: Fake Microsoft signature (apparently fools some AV) and XOR encrypted shellcode payload (to bypass signature checks). The worm uses three different infection vectors: ETERNALBLUE, Harvested password hashes and
psexec.Once a single computer on a network was infected, Petya leveraged Windows networking tools like Windows Management Instrumentation (WMI) and PsExec to infect other computers on the same network. Once it’s able to gain access to administrative login credentials, it’s able to jump from machine to machine using standard Windows mechanisms. Even networks that had patched against the EternalBlue exploit were sometimes vulnerable to attacks launched from within the network.
As the whole world deals with another massive ransomware outbreak, it appears the variant may have spread in different ways among the various impacted countries. The initial attack vector has been attributed to a software update from accounting company MeDoc, which sent an infected file out to customers, according to Ukrainian officials as well as security researchers at Kaspersky and Cisco.Attackers managed to deliver the ransomware through the update process.
Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update at 6/27/2017, which installed the malware on the “victim zero” system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. Practically everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two approved accounting software packages.)
The infection vectors for other countries remains less clear.
Because of the ransomware’s global outreach, many researchers flocked to analyze it. Researchers have discovered what might be a “Vaccine” for the current version of the Petya-esque ransomworm. The researcher’s initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft. Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers : victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing – simply create a file called perfc in the C:\Windows folder and make it read only. This method is more of a vaccination than a kill switch. Batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat (I am not sure if that is safe to use or not).
In an in-depth analysis of the infection, Microsoft explains that the new ransomware is a form of the already-known Petya with worm capabilities, emphasizing that up-to-date Windows systems are fully secure. In the wake of global malicious attacks such as WannaCry and NotPetya, Microsoft this week announced a new feature meant to keep users’ data safe from ransomware and other type of malware: Controlled folder access is meant to monitor the changes applications make to files in certain protected folders and blacklists any app that attempts to make such modifications.
Malware attack raises concern that the NSA has lost control over cyberweapons they developed, and that damage from the Shadow Brokers leaks could be much worse. Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States — Britain and Ukraine. Petya Ransomware Outbreak Proves WannaCry was Only the Beginning. For example F-Secure Labs has been warning about the dangers of leaked government surveillance tools being weaponized by criminals for years