NotPetya: A new threat
Published: 22/11/2017 12:00 pm
The ransomware that spreads like a worm infected organisations across Europe and the US
Barely after the dust has settled on WannaCry, the ransomware that affected hundreds of thousands of computers in 150 countries in May, another ransomware attack, NotPetya, started infecting organisations across Europe and into the Americas on June 27, 2017. Initially, this attack was thought to be a variant of Petya ransomware because the attackers crafted the malware to resemble Petya. Upon further analysis, it was discovered that the main distribution and payment schemes were not consistent with prior Petya campaigns. Where prior Petya campaign operated an organised payment and decryption key distribution system accessed via the Tor network, this attack relied upon a single email account for coordinating ransom payments and decryption keys. That address was identified and deactivated early leading investigators to conclude it was unlikely attackers intended for it to remain operational through the duration of the campaign.
NotPetya was disseminated via the compromised software update service from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. The malware spread to more than 12,000 systems in Europe and the Americas. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE.
The SMB exploit is the same method used by WannaCry ransomware, and Microsoft had already released a patch for the vulnerability.
Once NotPetya infects a system, it setups encryption routines and attempts to spread over the network. What’s different about NotPetya is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other difference between NotPetya and WannaCry is that while WannaCry used a killswitch domain, NotPetya doesn’t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the Internet.
Our open source intelligence analysis has led us to conclude that the campaign involved the following major actions:
1. Implanting a trojan into software essential to the intended target
2. Utilise a watering hole attack through a compromise of the software supply chain and distributing the trojan through the legitimate vendor’s genuine software update service
3. Enhance the malware to harvest credential and use capabilities inherent in the operating system to move lateral and spread the malware.
The end result of ransomware is to lock up the files on infected machines and demand a ransom to retrieve the data, though the true goals of the NotPetya creators may have been disruption rather than monetary gain,
NotPetya’s encryption process presents a fake chkdsk splash page, which encrypts the hard disk master boot record if a privileged user executes it. Then it schedules a task to restart the system once to prompt the ransom note. If it is unable to execute the payload as a privileged user, then it encrypts the file types annotated below and writes a README.TXT ransom note.