The new cyberattack malware dubbed NotPetya or ExPetr is believed to have been unleashed via a software update on June 27 for accounting software M.E.Doc, which is widely used by companies in Ukraine.
According to Acronis, the Petya variant of ransomware is different from Wannacry as Petya impacts the Master Boot Record (MBR). Petya first reboots the computers, and then encrypts the hard drive’s file table (MFT), which renders the MBR inoperable. From this point forwards, it restricts access to the system by seizing information of file names, sizes and location on the physical disk. Finally, Petya replaces the computer’s MBR with its own code, which displays the ransom note once the system is powered up.
There has been report in Australia of businesses affected by the Petya ransomware, namely the Tasmanian Cadbury chocolate factory, global law firm DLA Piper, and the Jawaharlal Nehru Port Trust.
The Rise of Ransomware-as-a-service
The Petya variant of ransomware also gives rise to a new—if not unsavory—business model: Ransomware-as-a-service (RaaS), according to Acronis. While there is still some debate as to whether it is a variant of Petya, GoldenEye, or a new version of Wannacry, we can be sure that it was definitely not from the original author of the Petya variant of ransomware. This means that hackers actually purchased the source code and used the models to create the attack.
While the potential payouts from ransomed victims can amount in the millions, the actual ransomware is incredulously cheap, between US$50 to US$150, depending on per usage or the actual ransomware source-code. The authors then offer their ransomware on the darknet, and offer a generous portion of the paid ransom amount to potential distributors, while the author pockets the rest.
Various cyber security firms including Cisco Talos, Kaspersky Lab and ESET, as well as the Ukrainian Police, say yet unidentified cyberhackers apparently compromised the M.E.Doc update servers.
Not Designed as a Ransomware Attack?
But Kaspersky Lab has bad news to the victims, which number in the thousands in the Ukraine, Russia, UK, Denmark, Spain, France and the US, including Danish shipping company Maersk, Russian oil firm Rosneft, UK media agency WPP, and several banks in the Ukraine as well as the Ukrainian agency responsible for monitoring radiation levels at the Chernobyl nuclear plant.
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have [concluded] that the threat actor cannot decrypt victims’ disk, even if a payment was made,” Kaspersky said in a statement.
“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”
In short, affected companies will not be able to regain access to their hard drives even if they pay the US$300 in Bitcoin that the attackers demand for a decryption key. Unlike the WannaCry ransomware in May, which encrypts files, the NotPetya malware locks up a device’s Master File Table, denying access to the entire hard drive.
Russia attacks Ukraine?
But the discovery has raised suspicions that NotPetya is not true ransomware. “This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” says Kaspersky.
Tom Kellermann, CEO and Partner at investment firm Strategic Cyber Ventures, suggested to BBC News that the fact that Ukraine was targeted could indicate that “some cyber criminal group that sometimes act as a cyber militia for Russia” is behind Not Petya.
“The fact that so much infrastructure in Ukraine was targeted through accounting software that was leveraged specifically to that environment, specific to that language, specific to file-sharing that would allow it to traverse infrastructure as a whole leads me to believe that this was far more than just a criminal conspiracy to create money,” he said.
Why were companies in Russia also felled? “Once you set a forest fire, you never know what it’s going to burn,” Kellermann said.
Steve McGregory, Senior Director of Application Threat Intelligence at Ixia, believes the attack is not nation-state related.
“It’s important to note that since the Shadow Brokers’ NSA leaks of these nation-state level cyber weapons, the use of WannaCry and today’s ransomware campaign are the equivalent of sophomore college students getting their Masters’ degrees in a matter of weeks.
“In this case, we’re seeing a number of different malware variants being used in these attacks - including WannaCry, and a modified version of DoublePulsar that attempts to gain kernel level access on a system. Based on our honeypots in the wild, it seems that the malware is not moving today - it may have been planted in advance by the attackers, and then activated today for the attack.”
Patch your Windows
So far, NotPetya has not reached the level of 230,000 infected computers in 150 countries that WannaCry had notched before it was stopped when a researcher registered a garbled domain name hidden in that malware. That act inadvertently activated a kill switch in the WannaCry software.
This time around, researchers could not find a kill switch in NotPetya, causing concerns that the spread of the new malware would be harder to halt.
Fortunately, it exploits the same vulnerability in Windows software for which Microsoft had offered fixes after the WannaCry attack. Still, the fact that units of big companies like Maersk still fell victim suggests that not everyone had applied the patches.
Security experts once again urgently advise companies to update their Windows systems with the patches and to stay vigilant as cyber criminals launch new variants of WannaCry and entirely different malware.
“Many companies haven’t deployed those patches and also they haven’t deployed next-gen defenses . . . and technology that can actually stop ransomware before it affects your system,” says Kellermann.
WannaCry and NotPetya are both based on EternalBlue, a malware whose code was leaked to the Internet by hacking group TheShadowBrokers, which claimed it came from the armory of the US National Security Agency.
Kellermann worries that “more and more non-state actors” motivated by political ideology “can now arm up and leverage their attacks,” as TheShadowBrokers and other groups sell them malware stolen from the arsenal of government agencies.
Affected Systems
The following Microsoft operating systems are currently suspected to be vulnerable
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
- Windows XP
- Windows Vista
- Windows Server 2016
- Windows Server 2012 and Windows Server 2012 R2
- Windows Server 2008 and Windows Server 2008 R2
- Windows Server 2003
Meanwhile, Sophos urges users to immediately do the following:
- Ensure systems have the latest patches, including the one in Microsoft MS17-010 bulletin
- Consider blocking the Microsoft PsExec tool from running on users’ computers. You can block it using a product such as Sophos Endpoint Protection. A version of this tool is used as part of another technique used by the Petya variant to spread automatically
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands
- Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job
Three core principles
Ixia is also sharing three core principles that organizations need to be aware of, if they are to develop an appropriate resistance against ransomware:
1. Discover the origin
The ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the internet, and starts downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads, so the content appears harmless until it actually enters the host machine.
2. Understanding its behavior
Focusing ransomware protection on the content being sent to the organization is a losing battle. Email-based macros are unlikely to be picked up, even by advanced virtualized sandboxing, because they do not exhibit malicious-looking behavior when examined. The payload will not appear malicious until it is actually on the machine and starts encrypting, so organizations should look at the vital clues of where the infection is coming from, rather than just at what it is.
3. Blocking the infection
Most payloads in the final stage of ransomware infection are delivered from known, malicious IP addresses on the internet. As IP addresses are relatively scarce, the same ‘bad’ ones tend to be continually re-used. Even brand-new malware variants can usually be linked to a small number of compromised IP addresses.
This means that if a machine in an organization’s network attempts to download content from a known malicious IP address, they are usually in the initial stages of a ransomware attack, and there’s no need to examine the macro that is attempting the download, or the content being downloaded.
Ixia notes that the simplest, most cost effective way to avoid attacks is to automatically block all corporate connections to known malicious IP addresses using a continuously-updated threat intelligence feed. This lets it nullify all new attacks, as well as existing, dormant infections.