A new Petya-like malware hit

We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. With echoes of WannaCry, infections spread fast. The research is still in progress -Some security researchers describe malware as variant of Petya; others say it’s a brand new sample. The low-level attack works in the same style as the first Petya. The ransomware has been wreaking havoc across the globe this week, locking hard drive MFT and MBR sections and preventing computers from booting. The massive outbreak of not-really ransomware that has caused significant damage to both Ukrainian targets and strategic global logistics companies.Where WannaCry focused on poorly patched systems, Petya seems to have hit hardest among large corporate networks. This new outbreak once again highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged. Hackers are targeting those that cannot afford to have downtime.

Ukraine was hardest hit by the attack, which came one day before the country’s Constitution Day. It seem that this was a straight forward cyber attack with a target space of basically every company that does business in Ukraine. Ukraine were affected, including those at hospitals, airports, and even at the Chernobyl plant. In Ukraine, the hardest hit nation in Tuesday’s outbreak, the ransomware spread across government institutions, banks and even radiation monitoring at the Chernobyl nuclear facility. While the finance sector was hit hardest, more than 50 percent of the remaining targets fell into the categories of manufacturing or oil and gas. The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl’s radiation monitoring system, and other machines in the country.

Also other countries were affected as the virus has also spread internationally. The Petya/NotPetya attack hit a total of 65 countries in first 24 hours, including Belgium, Brazil, Germany, Russia, and the United States, Microsoft reveals. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others. Rosneft, the giant Russian energy firm was also infected, but they could continue their operations by simply switching to their backup system -suffered no downtime or outages.

Danish shipping and energy company Maersk reported a cyberattack on Tuesday. Maersk, the world’s largest shipping company  reported systems down across multiple sites: Maersk has largely gone back to operating manually after malware attack. Some experts are calling this a “Y2K moment” for the shipping industry.

This has no killswitch, and it looks like they had a development budget. While initial analysis suggested that this was a Petya-powered ransomware attack similar to WannaCry, further investigation revealed that the malware is actually designed to overwrite the master boot record (MBR) of compromised machines. There is no way to recover encrypted files, even if the ransom is paid. Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options. The hackers behind the cyberattack have received less than $10,000 from victims.

It seems that this is definitely not designed to make money. Research by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack. There are at least three issues (post MBR sector corruption, random garbage installation ID, buggy encryption code) that indicate successful decryption of an infected computer was not a developer priority.Once the malware takes hold of a computer, it waits 10 to 60 minutes to reboot the infected computers.

What’s the difference between a wiper and a ransomware? The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. It looks like the Petya/NotPetya attack was pretending to be a ransomware while being in fact a nation state attack.

This ransomware variant is coded to erase a unique and randomly generated key that is used to encrypt the MFT (Master File Table).  It seems that it very unlikely that users can receive a working decryption key. The e-mail service which hosted the address which victims were instructed to send payment to has closed the account so trying to pay the ransom will result in a returned e-mail. Also the victim ID is just trash.

The code is well written, obfuscated to protect against AV detection using at least two techniques: Fake Microsoft signature (apparently fools some AV) and XOR encrypted shellcode payload (to bypass signature checks). The worm uses three different infection vectors: ETERNALBLUE, Harvested password hashes and
psexec.Once a single computer on a network was infected, Petya leveraged Windows networking tools like Windows Management Instrumentation (WMI) and PsExec to infect other computers on the same network. Once it’s able to gain access to administrative login credentials, it’s able to jump from machine to machine using standard Windows mechanisms. Even networks that had patched against the EternalBlue exploit were sometimes vulnerable to attacks launched from within the network.

As the whole world deals with another massive ransomware outbreak, it appears the variant may have spread in different ways among the various impacted countries. The initial attack vector has been attributed to a software update from accounting company MeDoc, which sent an infected file out to customers, according to Ukrainian officials as well as security researchers at Kaspersky and Cisco.Attackers managed to deliver the ransomware through the update process.

Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update at 6/27/2017, which installed the malware on the “victim zero” system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. Practically everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two approved accounting software packages.)

The infection vectors for other countries remains less clear.

Because of the ransomware’s global outreach, many researchers flocked to analyze it. Researchers have discovered what might be a “Vaccine” for the current version of the Petya-esque ransomworm. The researcher’s initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft. Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers : victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executingsimply create a file called perfc in the C:\Windows folder and make it read only. This method is more of a vaccination than a kill switch. Batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat (I am not sure if that is safe to use or not).

In an in-depth analysis of the infection, Microsoft explains that the new ransomware is a form of the already-known Petya with worm capabilities, emphasizing that up-to-date Windows systems are fully secure. In the wake of global malicious attacks such as WannaCry and NotPetya, Microsoft this week announced a new feature meant to keep users’ data safe from ransomware and other type of malware: Controlled folder access is meant to monitor the changes applications make to files in certain protected folders and blacklists any app that attempts to make such modifications.

Also a free tool that can scan networks to discover computers that are vulnerable to the NSA-linked EternalBlue exploit is now available.

Malware attack raises concern that the NSA has lost control over cyberweapons they developed, and that damage from the Shadow Brokers leaks could be much worse. Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States — Britain and Ukraine. Petya Ransomware Outbreak Proves WannaCry was Only the Beginning. For example F-Secure Labs has been warning about the dangers of leaked government surveillance tools being weaponized by criminals for years

 

Sources:

https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/

https://blog.malwarebytes.com/cybercrime/2017/06/petya-esque-ransomware-is-spreading-across-the-world/

https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

https://www.cyberscoop.com/petya-ransomware-medoc-hacked-auto-update/

http://news.softpedia.com/news/microsoft-fully-up-to-date-windows-secure-against-petya-ransomware-516715.shtml

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4

http://www.securityweek.com/free-eternalblue-vulnerability-scanner-released

http://www.securityweek.com/microsoft-tackles-ransomware-controlled-folder-access

http://www.securityweek.com/industry-reactions-destructive-notpetya-attacks-feedback-friday

http://splash247.com/back-future-maersk-wake-petya-attack/

http://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-tools.html

https://techcrunch.com/2017/06/29/kaspersky-petya-expetr-not-ransomware-industrial-targets/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

http://www.darkreading.com/attacks-breaches/petya-or-not-global-ransomware-outbreak-hits-europes-industrial-sector-thousands-more/d/d-id/1329231

https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b

http://www.securityweek.com/petyanotpetya-what-we-know-first-24-hours

https://www.theverge.com/2017/6/27/15883110/petya-notpetya-ransomware-software-update-wannacry-exploit

https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/

https://www.forbes.com/sites/thomasbrewster/2017/06/27/ransomware-spreads-rapidly-hitting-power-companies-banks-airlines-metro/#26216e537abd

http://www.bullguard.com/blog/2017/06/news-alert-major-ransomware-attack-affects-users-worldwide-bullguard-users-are-protected.html?lang=en-IN

http://nordic.businessinsider.com/petya-cyber-attack-who-is-responsible-russia-europe-ukraine-2017-6?r=US&IR=T

https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry

https://motherboard.vice.com/en_us/article/new8xw/hacker-behind-massive-ransomware-outbreak-cant-get-emails-from-victims-who-paid

https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

https://www.theverge.com/2017/6/27/15883110/petya-notpetya-ransomware-software-update-wannacry-exploit

http://www.cnbc.com/2017/06/28/ransomware-cyberattack-petya-bitcoin-payment.html

https://www.f-secure.com/en/web/business_global/petya?chl=sea&src={ifse…ent:gdna}&ecid=&gclid=CLzF6Yq669QCFUiJsgod-1wHyQ

https://business.f-secure.com/petya-ransomware

https://business.f-secure.com/petya-ransomware-outbreak-proves-wannacry-was-only-the-beginning

60 Comments

  1. Tomi Engdahl says:

    New TeleBots backdoor: First evidence linking Industroyer to NotPetya
    https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

    ESET’s analysis of a recent backdoor used by TeleBots – the group behind the massive NotPetya ransomware outbreak – uncovers strong code similarities to the Industroyer main backdoor, revealing a rumored connection that was not previously proven

    Reply
  2. Tomi Engdahl says:

    Cybersecurity and Insurance
    https://hackaday.com/2018/12/31/cybersecurity-and-insurance/

    Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.

    The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.

    It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.

    That’s a Lot of Money

    By anyone’s standards, $100 million is a pretty big wad of cash. Apparently, Mondelez uses Windows-based software for shipping and order fulfillment. By adding up property damage (lost hard drives, perhaps), supply and distribution disruption, customer order loss they came up with the $100 million figure.

    You might argue if that number is really accurate.

    However, even if you deflated the estimate by an order of magnitude, you are still talking about a $10 million dollar loss. Not small change. Having lived through some major cyberattacks, I can tell you just the time spent in meetings between IT, executives, and lawyers can add up pretty quickly.

    Loophole

    As you can probably guess, Zurich isn’t wanting to pay the claim. Insurance companies have a reputation for being happier to take your payments than they are paying your claim, and things like this are why. On the other hand, insurance companies have a fiduciary responsibility to their other customers and their shareholders to not pay out any more than they have to, and we get that too. So other than the “We didn’t know you’d ask for $100 million dollars!” defense, how can Zurich not pay if they agreed to underwrite Mondelez against cyberattacks?

    Many insurance policies have a clause in them that excludes things like acts of God and acts of war. Well, the technical term is “force majeure” but it covers things like earthquakes and other natural disasters.

    If you have a homeowner’s policy, you probably don’t want a force majeure exclusion.

    The act of war is a bit trickier. The logic is the same. If an army marches through your town and burns everything to the ground — or a nuke does the job remotely — the company would be on the hook for so much that they would have to raise premiums quite a bit. In the United States, though, the chances of that seem so slim that no one usually minds. If a nuke hits your house, you probably aren’t going to care anymore anyway.

    As usual, though, trying to apply old ideas to new technology causes problems.

    According to media reports, the exact language in the insurance policy covers “hostile or warlike action in time of peace or war” and includes any agent of any government (including a de facto government) or military force.

    The problem is, in a world where the battlefield is the Internet, how does this apply? There is a lot of evidence that NotPetya was state-sponsored by Russia and targeted Ukraine. The fact that it spread globally may even have been a mistake. Russia, of course, denies this.

    Lesson Learned

    Not being a lawyer or an insurance expert, this whole thing made me think. If you are buying cybersecurity insurance, maybe you don’t want an act of war exclusion. That’s going to drive up costs, but nearly any widespread cyberattack from another country could be argued as an act of war. Especially since in so many cases, these acts are perpetrated by persons unknown. Did the Russians create NotPetya? Did they deploy it? Did they hire some hacker group to do it for them? Does that matter? What if a hacker did it and then says they were paid by some government? How would you ever prove one way or the other?

    Reply
  3. Tomi Engdahl says:

    Financial Times:
    Mondelez sues insurance company for refusing to pay out $100M claim for NotPetya damages, launching the first major legal battle over cyber attack cost recovery
    http://t.co/qpBhJOUjf9

    Reply
  4. Tomi Engdahl says:

    Cyberinsurance and Acts of War
    https://www.schneier.com/blog/archives/2019/02/cyberinsurance_.html

    I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International’s claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing.

    Reply
  5. Tomi Engdahl says:

    New York Times:
    Some companies attacked in 2017′s NotPetya ransomware plague have been denied insurance coverage over “war exclusion” clauses

    Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.
    https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html

    Within days of a cyberattack, warehouses of the snack foods company Mondelez International filled with a backlog of Oreo cookies and Ritz crackers.

    Mondelez, owner of dozens of well-known food brands like Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the so-called NotPetya cyberstrike in 2017.

    Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and the computer equipment was replaced, its financial hit was more than $100 million, according to court documents.

    After the ordeal, executives at the company took some solace in knowing that insurance would help cover the costs. Or so they thought.

    Mondelez’s insurer, Zurich Insurance, said it would not be sending a reimbursement check. It cited a common, but rarely used, clause in insurance contracts: the “war exclusion,” which protects insurers from being saddled with costs related to damage from war.

    Mondelez was deemed collateral damage in a cyberwar.

    When the United States government assigned responsibility for NotPetya to Russia in 2018, insurers were provided with a justification for refusing to cover the damage. Just as they wouldn’t be liable if a bomb blew up a corporate building during an armed conflict, they claim not to be responsible when a state-backed hack strikes a computer network.

    The disputes are playing out in court.

    The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.

    “You’re running a huge risk that cyberinsurance in the future will be worthless,”

    Cyberattacks have created a unique challenge for insurers. Traditional practices, like not covering multiple buildings in the same neighborhood to avoid the risk of, say, a big fire don’t apply. Malware moves fast and unpredictably, leaving an expensive trail of collateral damage.
    NotPetya — which picked up the odd name because security researchers initially confused it with a piece of so-called ransomware called Petya — was a vivid example. It was also a powerful assault on computer networks that incorporated a stolen National Security Agency cyberweapon.

    “We still don’t have a clear idea of what cyberwar actually looks like,” said Jake Olcott, vice president at BitSight Technologies, a cyber risk adviser. “That is one of the struggles in this case. No one has said this was an all-out cyberwar by Russia.”

    In the past, American officials were reluctant to qualify cyberattacks as cyberwar, fearing the term could provoke an escalation.

    The description of the Sony attack was deliberate

    Obama administration had worried, in part, that the use of “cyberwar” would have triggered the liability exclusions and fine print that Mondelez is now challenging in court.

    “You have insurers who are sitting on insurance policies that were never underwritten or understood to cover cyber risk,” Mr. Kannry said. “Zurich didn’t underwrite the policy with the idea that a cyber event would cause the kind of losses that happened to Mondelez. Nobody is at war with Mondelez.”

    Many insurance companies are rethinking their coverage.

    “I don’t want to scare people, but if a country or nation state attacks a very specific segment, like national infrastructure, is that cyberterrorism or is that an act of war?” Ms. Fort asked. “There is still a bit of gray area.”

    Collateral damage from attacks that get out of control are going to become more and more common, he added. “That is what cyber is today,” Mr. Sagalow said. “And if you don’t like it, you shouldn’t be in the business.”

    Reply
  6. Tomi Engdahl says:

    Ransomware: The key lesson Maersk learned from battling the NotPetya attack
    https://www.zdnet.com/article/ransomware-the-key-lesson-maersk-learned-from-battling-the-notpetya-attack/

    Protection is important – but it’s equally as important to ensure your recovery process is strong, says head of cybersecurity compliance at the shipping giant.

    The extent of the cyberattack was so bad that it just didn’t seem possible that something so destructive could have happened so quickly.

    “The severity for me was really taken in when walking through the offices and seeing banks and banks of screens, all black. There was a moment of disbelief, initially, at the sheer ferocity and the speed and scale of the attack and the impact it had.”

    Reply
  7. Tomi Engdahl says:

    WannaCry ransomware attack on NHS could have triggered NATO reaction,
    says German cybergeneral
    https://www.theregister.co.uk/2020/02/03/wannacry_could_have_triggered_nato_german_general_says/
    FIC 2020 Western military alliance NATO could have reacted with force
    to the 2017 WannaCry ransomware outbreak that locked up half of
    Britain’s NHS, Germany’s top cybergeneral has said. During a panel
    discussion about military computer security, Major General Juergen
    Setzer, the Bundeswehr’s chief information security officer, admitted
    that NATO’s secretary-general had floated the idea of a military
    response to the software nasty.

    Reply
  8. Tomi Engdahl says:

    gvnshtn:
    An inside account of the security practices at Maersk leading up to and after the notPetya malware attack in 2017 and lessons learned from the recovery efforts

    Maersk, me & notPetya
    https://gvnshtn.com/maersk-me-notpetya/

    Reply
  9. Tomi Engdahl says:

    U.S. Charges Russian Intelligence Officers for NotPetya, Industroyer Attacks
    https://www.securityweek.com/us-charges-russian-intelligence-officers-notpetya-industroyer-attacks

    The U.S. Department of Justice on Monday announced charges against six Russian intelligence officers for their alleged role in several major cyberattacks conducted over the past years.

    The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

    They have all been charged with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

    Reply
  10. Tomi Engdahl says:

    WannaCry: How the Widespread Ransomware Changed Cybersecurity
    https://securityintelligence.com/articles/wannacry-worm-ransomware-changed-cybersecurity/
    If I had polled cybersecurity experts on their way to work on May 12,
    2017, most of them would have said they knew a major cybersecurity
    event loomed. Yet, on that day no one expected that they were walking
    into the perfect storm in the form of WannaCry ransomware, the most
    damaging cyberattack to date when they traveled by car, train or ferry
    to their respective offices that spring morning.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*