Security Experts:

Fake WannaCry Ransomware Uses NotPetya's Distribution System

The NotPetya wiper wasn’t the only piece of malware distributed last week using the compromised M.E.Doc update mechanism: a fake WannaCry ransomware variant was delivered using the same channel, Kaspersky Lab reports.

Called FakeCry, the ransomware was delivered to M.E.Doc users on June 27, the same day as the NotPetya outbreak started. According to Kaspersky, it was run as ed.exe in the M.E.Doc directory by the parent process ezvit.exe, suggesting it used the same delivery mechanism abused by NotPetya.

Written in .NET and including a “WNCRY” string, the ransomware was clearly making reference to the massive WannaCry epidemic in May 2017, and the same did a “forgotten” PDB path inside it. However, the malware also pretends to be “made in China,” which researchers suggest is a false flag.

Last month, some security researchers suggested WannaCry was the work of North Korean hackers, while others suggested it didn’t fit North Korea’s style. Linguistic analysis threat intelligence firm Flashpoint performed on 28 WannaCry ransom notes revealed that the attackers were fluent Chinese speakers who also appeared to know English.

Unlike WannaCry, which spread through the EternalBlue Windows exploit, FakeCry uses a dropper saved on disk as wc.exe. The dropper can execute several commands: drop the ransomware component; begin encryption; begin decryption; <Key> (public key for encryption and private key for decryption); and demo (encryption or decryption with hardcoded RSA keys).

The ransomware component, on the other hand, can generate the RSA-2048 key pair, encrypt/decrypt files, encrypt/decrypt disk, and delete shadow copies on the infected machine. When executed, the malware first deletes shadow copies, then initializes keys, creates the file list for encryption, proceeds to encrypt files, and then shows the ransom window.

FakeCry targets around 170 file types to encrypt and can kill processes if they use targeted files, to unlock them. It uses the Handler Viewer Sysinternals tool to accomplish the task. The ransomware also contains a list of extensions that contains only image file types (jpg, jpeg, png, tif, gif, and bmp), and which the attackers can decrypt for free, researchers say.

The ransom note displayed by this ransomware is similar to that of WannaCry. The attackers demand 0.1 Bitcoin (around $260) and use the same wallet number for all infections (seven payments have been made so far to the wallet). The ransomware uses a Tor server for command and control.

“Unfortunately ExPetr/Petya was not the only ransomware that was distributed via MeDoc updates on June 27. In parallel, another ransomware, FakeCry, was also distributed to MeDoc users at exactly the same time as ExPetr/Petya. Our telemetry shows about 90 attacked organizations received the FakeCry ransomware, almost all in Ukraine,” Kaspersky notes.

Ukraine’s authorities this week announced they raided and seized M.E.Doc servers fearing that the cybercriminals behind the NotPetya attack might still have access to these resources. In an official announcement, they advised users to turn off all computers on which the M.E.Doc software is running and to change passwords and electronic digital signatures.

Given that both malware families were distributed through the same vector at the same time suggests they might be related. However, the security researchers have yet to establish a definitive connection between the two.

Related: NotPetya Connected to BlackEnergy/KillDisk: Researchers

Related: Why WannaCry Was a Wake Up Call for Critical Infrastructure Security

view counter