Security Experts:

Petya/NotPetya: What We Know in the First 24 Hours

Petya/NotPetya Ransomware May Not be a Financially Motivated Attack, Researchers Say

The Petya/NotPetya outbreak that originated in Ukraine on Tuesday but spread globally within hours might have been more than a financially motivated ransomware incident, security researchers suggest.

The attack caught security researchers’ attention because the same EternalBlue SMB exploit employed by WannaCry was used to spread to new machines, and because of the fast pace at which reports of infections started to emerge worldwide.

The malware used in this attack, however, wasn’t WannaCry, but a variant of the Petya ransomware that first emerged in March 2016. Also referred to as Petya.A, Petrwrap, NotPetya, exPetr, and GoldenEye, this Petya variant features a different encryption algorithm implementation than before and is targeting different file types than previously observed variations.

While the exact number of victims isn’t known at the moment, Kaspersky Lab has already confirmed over 2,000 attacks, most of which occurred in Ukraine. During a phone call, Bitdefender’s senior e-threat analyst Bogdan Botezatu confirmed to SecurityWeek that Ukraine was hit the most: “We’ve seen some hits in other countries, but Ukraine was ravaged.”

The Petya/NotPetya attack hit a total of 65 countries, including Belgium, Brazil, Germany, Russia, and the United States, Microsoft reveals. In Ukraine, more than 12,500 machines were affected by the ransomware attack, the tech giant says.

The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl’s radiation monitoring system, and other machines in the country. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others.

Jury still out on initial infection vector

What Botezatu couldn’t confirm as of now was the initial infection vector. “We know how the ransomware moves within a network once it has compromised a machine, but we can’t find evidence of the initial infection vector,” he said.

While Microsoft and Cisco suggest that the legitimate updater process of tax accounting software MEDoc was compromised and used as the initial infection vector, the Ukrainian company has already denied the allegations [Ukrainian], and Bitdefender says they confirmed breaches in organizations that don’t use the software.

Kryptos Logic suggests that a zero-day vulnerability might have been used, given that Petya/NotPetya is limited to spreading only to computers in internal networks, and because a spam campaign wouldn’t be as effective.

“We believe to reach such a velocity, this can accomplished by attacking update systems or software packages with 0-day vulnerabilities,” the company says.

Spam email was also considered a possibility, but “likely [wasn’t] responsible for the large number of public sector organizations hit in Ukraine,” a Kryptos Logic security researcher going by the name of MalwareTech says.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, the website of Ukrainian City of Bahmut (Бахмут) might have been used as a secondary initial infection vector after being hacked and repurposed to serve the malware.

Encryption starts within an hour

The Petya/NotPetya variant used in this attack wouldn’t start encrypting infected computers immediately, but would wait for up to 60 minutes before doing so. However, given that the malware reboots the machine before starting the encryption, the delay window is supposedly used for credential gathering and network scanning operations.

“There appears to be a significant delay between running the malware and the beginning of the encryption process. Given that the malware reboots the machine, this is almost certainly to allow a reasonable amount of time to propagate across networks,” Forcepoint points out.

What fully set Petya/NotPetya apart from previous variants was the use of several tools for lateral movement. In addition to a modified EternalBlue exploit, the malware employs the EternalRomance exploit, Mimikatz for credential gathering, and WMIC (Windows Management Instrumentation Commandline) and PSExec for spreading within the compromised network.

The use of several tools allows the ransomware to compromise even up-to-date systems, and reports of companies that patched against EternalBlue but still got infected already emerged. As long as a single computer in the network is compromised, the malware can spread to the remaining ones, it seems.

“Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts calls DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with stolen credentials. It then tries to execute remotely the malware using either PSEXEC or WMIC tools,” Microsoft explains.

As soon as the encryption process starts, the machine is rebooted and the user is informed that the disk is being checked for errors. The same tactic was used by previous Petya variants: the malware would encrypt the Master Boot Record (MBR) while pretending to perform a check disk operation.

Petya/NotPetya uses an AES-128 key to encrypt all targeted files. It then encrypts the AES-128 with the attacker’s public RSA-2048 key and saves it to a README file. Because both keys are securely generated, this solid encryption scheme prevents researchers from creating decryption tools for the malware, “unless a subtle implementation mistake has been made,” Kaspersky says.

Paying not an option to recover files

While this has been said over and over again, it can’t be truer than in Petya/NotPetya’s case: paying is by no means a valid option. The main reason for this is that the attacker no longer has access to the “[email protected]” email address listed in the ransom note.

Midway through Tuesday, soon after learning that the email address was being used as part of a malware attack, Posteo decided to block the account straight away. The action is part of the company’s policy of not tolerating the misuse of its platform.

“Since midday it is no longer possible for the blackmailers to access the email account or send emails. Sending emails to the account is no longer possible either,” Posteo notes in a blog post.

While this seems like a logical step to take when encountering email accounts used for nefarious purposes, Posteo’s action certainly did more to hurt victims than help them, as they can no longer contact the attackers to ask for the decryption keys in exchange of payment proof.

The Bitcoin address the attackers ask victims to pay the ransom to already shows 43 transactions and 3.87408155 Bitcoin received, most probably in payments. Petya/NotPetya demands a $300 ransom from its victims.

Not a financially motivated attack

Despite using ransomware, the attack might not have been financially motivated, but rather aimed at data destruction or data theft, security researchers suggest.

“Many companies may be tempted to pay the ransom to get their systems back online. In this outbreak, it appears that the attackers never even attempted to be able to restore files to victims,” IBM’s Diana Kelley notes.

Bogdan Botezatu too notes that this campaign “might not have targeted financial gains but rather data destruction.” He further explains that the use of “a regular, non-bulletproof e-mail service provider,” is the first piece of evidence that the attackers weren’t really interested in getting paid.

Botezatu also told SecurityWeek that there are signs suggesting that the attack was initially targeted at specific companies, but became a global incident after getting out of hand.

He also cites “the lack of automation in the payment & key retrieval process” that “makes it really difficult for the attacking party to honor their end of the promise,” and the fact that the chosen payment confirmation option is rather difficult: “the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” [which] is prone to typos.”

According to Recorded Future, there are reports that the Loki Bot information stealer might have been used in this attack as a secondary payload, suggesting that data theft could have been the purpose of the outbreak.

"Vaccine" available

Unlike the WannaCry outbreak, which was slowed down when a security researcher registered a kill-switch domain, no such option is available in Petya/NotPetya case. However, a vaccine is available, supposedly effective in preventing the ransomware from infecting compromised machines.

Discovered by Cybereason Principal Security Researcher Amit Serper, the vaccine involves the creation of a file named perfc (with no extension name) in the C:\Windows\ folder. Other security researchers also confirmed the finding.

view counter