Cybersecurity in the News: NotPetya Ransomware Attack

Countries around the world are dealing with the aftermath of another costly cyber attack, which was aimed at government systems and large global corporations.

The latest attack, known as NotPetya, disguised itself as the infamous Petya ransomware but was not designed to make money like Petya, according to an Information Security Researcher known as the grugq. Rather, it was designed to cause mayhem and wage cyber war primarily against Ukraine.

This comes just weeks after the WannaCry ransomware attack, which affected over 400,000 machines and once again put cybersecurity on the global stage.

And while it’s too soon to tell just how many machines were affected, the NotPetya cyber attack has spread to at least 64 countries, including Ukraine, Russia, France, Spain and the United States, as well as several major global companies. Unlike the WannaCry ransomware attack, victims are unable to recover lost files, even if they were willing to pay ransom — deeming this a wiper attack, i.e., one that encrypts data to make it unrecoverable.

The technical facts

The primary infection vector was a compromised update from the MeDoc accounting software, one of only two approved accounting software programs in Ukraine, per the grugq. By design, this attack targeted businesses located in or who do business in Ukraine and, by extension in some cases, their partners and related entities.

Microsoft reports that this new malware has worm capabilities — which allow it to move laterally across an infected network. Using an exploit known as EternalBlue — among others — along with common system administration tools, NotPetya attempts to leverage a single infected point of entry to infect other computers and spread across an entire internal network. EternalBlue is attributed by many to have been developed by the National Security Agency and leaked in April by a group of hackers known as the Shadow Brokers making it freely available to creators of malware.

Act before it’s too late

Cyber attacks aren’t cheap, and the consequences can be long lasting. Prior to NotPetya, one South Korean hosting company paid $1 million in ransom after suffering an eight-day outage. As cyber criminals gain more experience and the industry becomes more lucrative, attacks are only expected to increase and become more complex. Arm your company with the strategy and tools necessary to detect, defend against and respond to cyber attacks before it’s too late.

One way to protect yourself from a cyber attack is to hire a trusted cybersecurity firm to conduct a penetration test, which is a simulated attack that identifies weaknesses but does not use them to inflict damage on your system — as a real attacker would do. That is, a penetration test is a real “attack,” in that it uses similar Tactics, Techniques and Procedures (TTPs) as those used by cyber criminals, but the result is not lost or corrupted data. The result is knowledge about how to prevent a real attack.

______

For the technical reader:

Below is a rough outline of the TTPs that NotPetya used, which security researchers uncovered by reverse engineering samples of NotPetya. Asylas uses many of these same TTPs in our penetration tests.

  1. Performs checks to determine if it is in a Sandbox or a Virtual Machine (VM).
  2. Attempts to extract credentials from memory.
  3. Lateral movement across the network:
  4. Using the obtained credentials, attempts to copy a malicious DLL to the victim, and if is successful attempts to execute it using psexec and secondarily with wmic.
  5. If psexec and wmic are not successful, execution with EternalBlue (MS17–010).
  6. Obtains the current computer time and creates a scheduled task using first at or schtasks to reboot the computer in one hour.
  7. When the computer restarts, a screen is displayed indicating that the system is repairing an error while encryption of the data is accomplished in the background.
  8. Once complete, evidence such as windows event logs and NTFS journals are removed.

To learn more about our security assessment, penetration testing, managed security services, cybersecurity strategy and more, visit https://www.asylas.com/#services or call 615–499–7600.

For more resources on technical understanding and mitigation of this attack, visit https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/.