“Unleashing Chaos: The NotPetya Ransomware Attack Decoded”
Destructive ransomware that paralyzed systems worldwide by encrypting the Master File Table (MFT) and spreading rapidly through networks.
What is NotPetya?
NotPetya, also known as Petya.A, is a type of ransomware that emerged in June 2017. At first glance, it appeared to be a variant of the Petya ransomware, which encrypts a victim’s files and demands a ransom payment in exchange for the decryption key. However, NotPetya was much more sinister and destructive.
Unlike traditional ransomware, which aims to extort money from victims, NotPetya was designed to cause maximum disruption and damage. It used a variety of propagation methods, including exploiting the EternalBlue vulnerability, which was previously used by the WannaCry ransomware, to rapidly spread across networks.
The NotPetya attacks have been blamed on the Russian government, specifically the Sandworm hacking group within the GRU Russian military intelligence organization, by security researchers, Google, and several governments.
NotPetya Ransomware WorkFlow
NotPetya was a highly sophisticated and destructive ransomware attack that combined a variety of propagation methods, exploitation techniques, and destructive payloads to cause widespread disruption and damage. Its ability to rapidly spread across interconnected networks and its destructive wiper component set it apart from traditional ransomware attacks, making it one of the most devastating cyber incidents in recent history.
Here’s a simplified step-by-step explanation of how NotPetya worked:
1. Initial Infection: Spread through a malicious update of a Ukrainian accounting software called M.E.Doc.
2. EternalBlue Exploit: Used the EternalBlue vulnerability in the SMB protocol to spread across networks.
3. Mimikatz Tool: Extracted and exploited Windows credentials to move laterally across networks.
4. Disk Encryption: Encrypted the Master File Table (MFT), making the system unbootable and inaccessible.
5. Fake Ransom Note: Displayed a fake ransom note demanding payment in Bitcoin.
6. Wiper Malware: Included a wiper component to destroy critical system files, making system restoration impossible (the wiper erases the hard disk or any static memory).
The above might look strange what is EternalBlue? , what is SMB protocol? , what is the Master File Table (MFT) of the NTFS file system? let’s go deeper into it one by one:
What is EternalBlue?
The EternalBlue vulnerability is a critical software vulnerability that was initially discovered by the U.S. National Security Agency (NSA). It affects the Windows Server Message Block (SMB) protocol and was later leaked by a group known as the Shadow Brokers in April 2017. EternalBlue has been exploited by various malware strains, including the WannaCry and NotPetya ransomware attacks, to propagate and spread rapidly across networks.
How EternalBlue Works
Vulnerability Details: EternalBlue exploits a vulnerability in Microsoft’s implementation of the SMB protocol, specifically in the way the Windows operating system handles certain SMBv1 transactions. The vulnerability is a buffer overflow exploit, which occurs when a program tries to store more data in a buffer (a temporary data storage area) than it was intended to hold.
Exploitation Process:
Initial Trigger: The attacker sends a specially crafted packet to a target machine running a vulnerable version of the SMB protocol (SMBv1)
Buffer Overflow: The malicious packet triggers a buffer overflow in the SMB server process, allowing the attacker to overwrite the server’s memory and gain control over the targeted system.
Code Execution: Once the attacker gains control over the system, they can execute arbitrary code, such as deploying malware or additional exploits to further compromise the system.
Propagation: Malware like WannaCry and NotPetya leveraged EternalBlue to propagate across networks by scanning for and exploiting other vulnerable machines within the same network.
Impact of EternalBlue vulnerability
The EternalBlue vulnerability is particularly dangerous because it allows for the rapid and automated spread of malware across interconnected networks without requiring user interaction. This capability makes it highly effective for large-scale, worm-like cyberattacks.
Patch and Mitigation
Microsoft released a security update (MS17–010) to patch the EternalBlue vulnerability shortly after its public disclosure. Organizations are strongly advised to apply this patch and disable SMBv1 to mitigate the risk of exploitation.
Recommendations to Mitigate EternalBlue Vulnerability:
Apply Security Patch: Ensure that the MS17–010 security update is applied to all Windows systems to patch the EternalBlue vulnerability.
Disable SMBv1: Since the vulnerability affects SMBv1, disabling this outdated and insecure version of the SMB protocol can help mitigate the risk of exploitation.
Network Segmentation: Implementing strict network segmentation can help contain the spread of malware and limit the damage in the event of a successful EternalBlue exploit.
Intrusion Detection and Monitoring: Employing intrusion detection systems (IDS) and monitoring network traffic for signs of EternalBlue exploit attempts can help identify and mitigate potential threats.
Windows Server Message Block (SMB) protocol
The Server Message Block (SMB) protocol is a network file-sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. Developed by IBM in the 1980s and later adopted by Microsoft, SMB has become one of the most widely used network protocols for file and printer sharing in local area networks (LANs) and wide area networks (WANs).
In general, it is a language that computers uses to talk and share files in a network.
Key Features- File and Printer Sharing, Authentication and Authorization, Name Resolution (SMB relies on the NetBIOS or DNS naming conventions to resolve the names of computers and shared resources on the network, making it easier for users to locate and access the resources they need.), Data Transport (between client and server computers,)
Now what was the specific part of SMB that EternalBlue exploited???
The specific part of the Server Message Block (SMB) protocol that the EternalBlue exploit targeted is a vulnerability in the way Windows handles certain SMBv1 transactions, particularly the handling of the “SMB_COM_TRANSACTION” subcommand(The “SMB_COM_TRANSACTION” subcommand is used to execute a remote procedure call (RPC) between the client and the server. It allows the client to send a request to the server to perform a specific operation, such as reading or writing data to a file, and receive a response from the server).
The EternalBlue exploit leverages a buffer overflow vulnerability in the “SMB_COM_TRANSACTION” subcommand of the SMBv1 protocol. Here’s a breakdown of how the exploit works:
Crafted Packet: The attacker sends a specially crafted packet to a target machine running a vulnerable version of the SMBv1 protocol.
SMB_COM_TRANSACTION Subcommand: The malicious packet triggers a buffer overflow in the SMB server process when processing the “SMB_COM_TRANSACTION” subcommand.
Memory Overwrite: The buffer overflow allows the attacker to overwrite the server’s memory with malicious code, gaining control over the targeted system.
Master File Table (MFT)
The Master File Table (MFT) is a crucial component of the NTFS (New Technology File System) file system used by Windows operating systems. The MFT is a database that stores information about every file and directory on an NTFS-formatted volume. It acts as a “map” or “index” that the operating system uses to locate files on the disk.
Mitigation
It was found that it may be possible to stop the encryption process if an infected computer is immediately shut down when the fictitious chkdsk screen appears.
Creating read-only files named perfc and/or perfc.dat in the Windows installation directory could prevent the payload of the current strain from executing.
The email address listed on the ransom screen was suspended by its provider, Posteo, for being a violation of its terms of use. As a result, infected users could not send the required payment confirmation to the perpetrator.
If a computer’s filesystem was using a FAT-based file system (like FAT16 or FAT32), NotPetya did not encrypt the Master File Table (MFT). Instead, it only displayed the ransomware message without actually encrypting the user’s files. This is because the FAT file system does not have an MFT like the NTFS file system does.
FAT file system- The File Allocation Table is a data structure that the file system uses to keep track of the status of each cluster (a group of disk sectors) on the storage device. It records which clusters are allocated to which files and directories, allowing the operating system to efficiently read and write data to the disk.
The Global Impact
The NotPetya attack had a global impact, affecting organizations in more than 65 countries. Some of the most high-profile victims included:
• Maersk: The world’s largest container shipping company reported losses of over $300 million due to the attack.
• Merck: The pharmaceutical giant suffered significant disruptions to its operations, leading to a loss of around $870 million.
•Ukrainian Government: NotPetya initially targeted Ukrainian financial, energy, and government sectors, causing widespread chaos and disruption.
During the attack initiated on 27 June 2017, the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks, and metro systems were also affected. It is said to have been the most destructive cyberattack ever. During the attack initiated on 27 June 2017, the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks, and metro systems were also affected. It is said to have been the most destructive cyberattack ever.
The Cost of Destruction
The financial cost of the NotPetya attack was staggering, with estimates suggesting total damages could exceed $10 billion. However, the true impact of NotPetya extended far beyond monetary losses. The attack disrupted critical infrastructure, paralyzed businesses, and eroded public trust in the digital economy.
Attribution and Motivation
While the initial infection vector and the use of the EternalBlue exploit pointed to similarities with previous cyberattacks, the true motives behind the NotPetya attack remain a subject of debate. Some experts believe that the attack was state-sponsored, with Russia being implicated due to its targeting of Ukrainian infrastructure and the use of a Ukrainian accounting software as the initial infection vector. However, conclusive evidence linking a specific nation-state actor to the attack remains elusive.
Lessons Learned
The NotPetya attack served as a wake-up call for organizations worldwide, highlighting the need for robust cybersecurity measures and incident response strategies. Some key lessons learned from the NotPetya attack include:
1. Patch Management: Organizations must prioritize timely patching and updating of software to mitigate vulnerabilities exploited by malware like NotPetya.
2. Network Segmentation: Implementing strict network segmentation can help contain the spread of malware and limit the damage in the event of a successful breach.
3. Backup and Recovery: Regularly backing up critical data and testing recovery procedures is essential to quickly restore operations in the event of a ransomware attack.
4. User Awareness: Educating employees about the risks of phishing and social engineering tactics can help prevent the initial infection of ransomware.
Conclusion
The NotPetya ransomware attack was a stark reminder of the evolving nature of cybersecurity threats and the devastating impact they can have on organizations and society at large. As cybercriminals continue to innovate and develop more sophisticated attack techniques, organizations must remain vigilant, proactive, and prepared to defend against the ever-present threat of ransomware and other cyber threats.
“ The NotPetya attack was a watershed moment in cybersecurity, demonstrating the potential for weaponized ransomware to disrupt critical infrastructure on a global scale. It underscores the imperative for organizations to adopt a holistic, proactive approach to cybersecurity, focusing on patch management, network segmentation, and user education to mitigate the risks of similar future attacks.”
