Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Fake WannaCry Ransomware Uses NotPetya’s Distribution System

The NotPetya wiper wasn’t the only piece of malware distributed last week using the compromised M.E.Doc update mechanism: a fake WannaCry ransomware variant was delivered using the same channel, Kaspersky Lab reports.

The NotPetya wiper wasn’t the only piece of malware distributed last week using the compromised M.E.Doc update mechanism: a fake WannaCry ransomware variant was delivered using the same channel, Kaspersky Lab reports.

Called FakeCry, the ransomware was delivered to M.E.Doc users on June 27, the same day as the NotPetya outbreak started. According to Kaspersky, it was run as ed.exe in the M.E.Doc directory by the parent process ezvit.exe, suggesting it used the same delivery mechanism abused by NotPetya.

Written in .NET and including a “WNCRY” string, the ransomware was clearly making reference to the massive WannaCry epidemic in May 2017, and the same did a “forgotten” PDB path inside it. However, the malware also pretends to be “made in China,” which researchers suggest is a false flag.

Last month, some security researchers suggested WannaCry was the work of North Korean hackers, while others suggested it didn’t fit North Korea’s style. Linguistic analysis threat intelligence firm Flashpoint performed on 28 WannaCry ransom notes revealed that the attackers were fluent Chinese speakers who also appeared to know English.

Unlike WannaCry, which spread through the EternalBlue Windows exploit, FakeCry uses a dropper saved on disk as wc.exe. The dropper can execute several commands: drop the ransomware component; begin encryption; begin decryption; <Key> (public key for encryption and private key for decryption); and demo (encryption or decryption with hardcoded RSA keys).

The ransomware component, on the other hand, can generate the RSA-2048 key pair, encrypt/decrypt files, encrypt/decrypt disk, and delete shadow copies on the infected machine. When executed, the malware first deletes shadow copies, then initializes keys, creates the file list for encryption, proceeds to encrypt files, and then shows the ransom window.

FakeCry targets around 170 file types to encrypt and can kill processes if they use targeted files, to unlock them. It uses the Handler Viewer Sysinternals tool to accomplish the task. The ransomware also contains a list of extensions that contains only image file types (jpg, jpeg, png, tif, gif, and bmp), and which the attackers can decrypt for free, researchers say.

The ransom note displayed by this ransomware is similar to that of WannaCry. The attackers demand 0.1 Bitcoin (around $260) and use the same wallet number for all infections (seven payments have been made so far to the wallet). The ransomware uses a Tor server for command and control.

Advertisement. Scroll to continue reading.

“Unfortunately ExPetr/Petya was not the only ransomware that was distributed via MeDoc updates on June 27. In parallel, another ransomware, FakeCry, was also distributed to MeDoc users at exactly the same time as ExPetr/Petya. Our telemetry shows about 90 attacked organizations received the FakeCry ransomware, almost all in Ukraine,” Kaspersky notes.

Ukraine’s authorities this week announced they raided and seized M.E.Doc servers fearing that the cybercriminals behind the NotPetya attack might still have access to these resources. In an official announcement, they advised users to turn off all computers on which the M.E.Doc software is running and to change passwords and electronic digital signatures.

Given that both malware families were distributed through the same vector at the same time suggests they might be related. However, the security researchers have yet to establish a definitive connection between the two.

Related: NotPetya Connected to BlackEnergy/KillDisk: Researchers

Related: Why WannaCry Was a Wake Up Call for Critical Infrastructure Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.