NotPetya/GoldenEye Malware Overwrites Master Boot Record
The Petya/NotPetya ransomware used in the global attack ongoing for the past two days was in fact hiding a wiper and was clearly aimed at data destruction, security researchers have discovered.
The attack started on June 27, with the largest number of victims being reported in Ukraine, where it apparently originated from. Within hours, the outbreak hit around 65 countries worldwide, including Belgium, Brazil, France, Germany, India, Russia, and the United States.
The attack would spread within local networks through various tools, including Mimikatz for credential gathering, and the EternalBlue exploit (also used by WannaCry), the EternalRomance exploit (Microsoft released patches for both in March), and WMIC (Windows Management Instrumentation Commandline) and PSExec for lateral movement.
The initial infection vector was the hijacked updater process of tax accounting software MEDoc, but researchers also discovered that the website of Ukrainian City of Bahmut might have been hacked and used to serve the malware as well.
Soon after the outbreak began, however, security researchers noticed that NotPetya wasn’t following the same rules as normal ransomware does when it comes to the payment process, and started sounding the alarm: an easy-to-block email address was used, a single Bitcoin address was hardcoded in the malware, and the payment process was rather counter-intuitive. The attackers weren’t seeking financial gains, multiple researchers said yesterday.
“A number of us in the security community are debating if the Petya attack on 27 June wasn’t a targeted attack on Ukraine, disguised as a ransomware attack on any organization caught up in the method used for infection,” Travis Farral, Director of Security Strategy at Anomali, told SecurityWeek in an emailed statement.
“There are details that support such a theory. The attackers behind the ransomware haven’t experienced much ROI despite the broad impact of the attack, they set up a weak payment process, launched the attack just prior to Ukraine’s Constitution Day and leveraged a malware family named for the pet name of Ukrainian President, Petro Poroshenko,” Farral continued.
During a phone call with SecurityWeek on Wednesday, Bitdefender senior e-threat analyst Bogdan Botezatu suggested that the attack might have had as final purpose data destruction rather than financial gains, and it didn’t take long for Matt Suiche, Microsoft MVP and founder of Comae Technologies, to reach the same conclusion.
He reveals that, while the original Petya was meant to encrypt the Master Boot Record (MBR) and demand ransom to decrypt it, the malware used in this attack, which was referred to as Petya.A, Petrwrap, NotPetya, exPetr, and GoldenEye, is in fact overwriting MBR sectors without saving them elsewhere.
“We noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk,” Suiche says. The malware, he continues, “does permanent and irreversible damages to the disk.”
Comae also discovered that the attackers implemented a function to unconditionally wipe the first 10 sectors if two conditions were met: the hash command computed from a running process name (unknown so far) returned 0x2E214B44; the function that replaces the actual MBR returns an error (which should counter EDR trying to prevent bootloader modifications).
According to Kryptos Logic security researcher MalwareTech, however, the sectors that NotPetya overwrites in this attack don’t contain data at all. The malware supposedly saves the original first sector (MBR) elsewhere, but trashes the next 24 sectors.
“The 24 sectors following the MBR are completely empty on any standard Windows installation. […] Essentially on any standard Windows operating system there is nothing between sector 1 and sector 64,” the researcher points out.
Russian security firm Kaspersky Lab also reached the conclusion that the NotPetya campaign wasn’t designed as a ransomware attack, as everyone believed in the first place. Instead, it was “designed as a wiper pretending to be ransomware,” Kaspersky’s Anton Ivanov and Orkhan Mamedov explain in a recent blog post.
The first thing the researchers noticed was that the ransomware is actually generating random data when pretending to generate the installation ID showed to the victim. Without a valid ID, the attackers can’t decrypt the victims’ files.
“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky says.
On the one hand, this means that victims can’t restore their data even if they pay the ransom. On the other, it reinforces the idea that the main goal of the attack “was not financially motivated, but destructive.”
“The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack,” Suiche notes.
“Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action. Effectively wiping hard drives through the pretense of ransomware confuses the issue,” Gavin O’Gorman, Symantec Security
Response, points out.
Avira reveals that computers with Russian or Ukrainian language settings were impacted the most. The company also notes that the attack affected mostly older Windows systems running Windows 7 SP1, but that Windows 8 systems were affected as well.
Affected users are advised to refrain from paying the ransom as that would by no means help them decrypt their data. This advice is particularly true for the NotPetya incident, as the attackers have no means to restore victims’ data.
“Do not pay. You will not only be financing criminals, but it is unlikely that you will regain access to your files,” Europol notes. “Disconnect the infected device from the internet. If the infected device is part of a network, try to isolate it as soon as possible, in order to prevent the infection from spreading to other machines,” the agency continues.