Petya proving to be more than ransom attacks

June 30, 2017
Now labeled as NotPetya, this malware was all about mayhem not money

Coming just weeks after the WannaCry hack that infiltrated more than 150 countries and penetrated vulnerable vertical sectors like healthcare, supply chain and critical infrastructure, another massive cyber attack spread across the U.K., the Netherlands, Russia, and Eastern Europe earlier this week. More than 2,000 computer systems in a dozen countries were hit according to security software firm Kaspersky Labs, adding that the United States, France, and Italy were also affected.

Security and intelligence experts are pointing to Ukraine as being the epicenter of the Petya ransomware attack’s most serious damage, with Kaspersky Labs saying that as many as 60 percent of all systems breached touched critical infrastructure locations in Ukraine including mass transportation, airports and power plants. While U.S. and U.K. security analysts have enough evidence to suspect North Korea as the culprit for last month’s WannaCry hack, there are no solid leads as to who may have carried out this week’s attack.

Writing in his recent blog “Krebs on Security,” world-renowned computer security guru Brian Krebs acknowledged that the Petya "ransomware" is a malware strain that has attacked a vulnerability found in Microsoft Windows that the company patched in March of this year. The WannaCry ransomware also exploited this flaw.

Krebs states that the security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a cyber weapon believed to have been developed by the U.S. National Security Agency that was leaked online in April by a hacker group known as the Shadow Brokers.

However, many security experts are concerned that the Petya attacks represent a more sinister turn in the practice of ransomware, since unlike the WannaCry attack that seemed driven by threats of data destruction unless a Bitcoin ransom was paid by the victim, Petya is not ransomware at all, but a “wiper” that will permanently destroy all data on the hard drive. So even if Petya victims complied with the ransom threats and paid, they would have never retrieved any of their destroyed files.

Matt Suiche, a former hacker and the founder of Comae Technologies, a cybersecurity firm headquartered in the United Arab Emirates, offers in his blog yesterday that “the goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”

Apparently, more than 45 people worldwide have paid ransoms totally just over $10,000 in Bitcoin since Tuesday of this week and evidence is that it is unlikely victims recovered any of their data, leading the analysts to surmise that the attacks were more about wreaking havoc and chaos than seeking financial gain.

Because of its masquerade as ransomware in name only, it has become clear that Petya, or NotPetya as it is being tagged by many in the cybersecurity community, was created as a vehicle of destruction and not one of extortion.

“Clearly, NotPetya is, in a sense, an evolution of WannaCry in that instead of relying on one method for propagation, NotPetya uses multiple methods. Victim compromise can also occur even on systems patched for the EternalBlue vulnerability thus making NotPetya more resilient and more likely to spread and impact more victims,” says Cyxtera's Chief Cybersecurity Officer Chris Day, who was the former CISO at Invincea and former CTO of Packet Forensics. “In addition to the use of multiple propagation vectors, another difference between WannaCry and NotPetya is the fact that NotPetya uses two different encryption schemes depending on the privilege level of the user. Regular users’ files are encrypted while administrator-level users disks have their Master Boot Record (MBR) encrypted making it impossible to boot the system (but the files themselves are left intact making system recovery easier).”

Day contends that the biggest takeaway right now is the fact we are currently seeing an evolution of the use of ransomware from the domain of cyber criminals looking to extort money from their victims into an increasingly dangerous form of cyber weapon that can cause real damage to an organization’s ability to function or operate.

“We are observing, I believe, the emergence of increasingly capable and flexible tools that will provide the adversary multiple options against their targets -- for example, extort money from some while crippling others,” adds Day.

Tuesday’s attack targeted governments across the global as well as numerous infrastructure locations and corporate brands. For security professionals like Day, this developing situation has all concerned scrambling to assess potential risk and decide on proper mitigation strategies. His most vehement suggestion is; don’t pay the ransom, but he has offered other key takeaways related to NotPetya, including:

  • This malware only has a passing resemblance to the historic Petya malware and thus should NOT be considered the same. This is much more sophisticated than both Petya and the recent WannaCry.
  • The campaign is using multiple propagation vectors:

o   Email (multiple PDF and Word attachment samples have been collected)
o   The EternalBlue exploit used by WannaCry
o   Harvesting of credentials via a custom capability against the lsass process and subsequent use of WMIC to move laterally
o   An attack against the update process of a third-party Ukrainian software product called MEDoc

  • Even a machine patched against the EternalBlue exploit is still vulnerable if a user clicks on the email vector. This malware is nastier than WannaCry because it can continue to propagate even in fully patched environments.
  • The worst case for an organization is if a user with domain admin credentials is compromised as the entire network becomes at risk via WMIC and remote process execution (psexec).
  • For non-admin victims, the files on the machine are encrypted using a standard AES routine (thus it is unlikely there will be an implementation bug found to allow for non-keyed decryption).
  • For admin (local or domain) victims, the Master Boot Record (MBR) is encrypted (but not the files on disk). Thus, the machine seems bricked but is actually relatively easy to recover. However, this seems to go to a motive that this may actually be more of a disruption attack than a financially motivated crime.
  • There was a single Bitcoin account setup for ransom payments but it has already been taken down. Thus, there is currently no way for victims to get decryption keys even if they want to pay the ransom. Again, this hints at motive, in the sense, there was possibly never any real intention of collecting significant ransom or of providing a decryption pathway.
  • Because of the attempt to move laterally, environments that have adopted Software-Defined Perimeter architectures to limit lateral movement are likely to see far reduced impact compared to traditional open enterprise networks.
  • A number of next-gen AV systems are now detecting and stopping this.

The growing list of hacks, breaches and cyber-attacks demonstrate the vulnerabilities of critical infrastructure. Michael Daly, the CTO at Raytheon Cybersecurity and Special Missions, warns that cybercriminals will become more embolden and attacks will occur more frequently, so it will take a cooperative effort between the public and private sectors to build the firewall.

“An important point in all of this is the trend we are seeing. We believe there will be more and more cybercrime because of the new models for launching malware. Anyone can launch an attack. You don’t have to be a cyber whiz to inflict cyber damage,” contends Daly. “Various do-it-yourself kits are available as well as ransomware as an outsourced service on the Deep Web forums, making it easy for even nontechnical individuals to set up a ransomware operation. This is especially concerning because attribution can be hard to find when ransomware is done as a service. It also is helping nation states keep their cyber soldiers up-to-date on the latest tools without any government funding.

“We must make our critical infrastructure more cyber resilient from this constantly evolving threat. If we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with both economic and safety ramifications. From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it.”

About the Author: 

Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s top security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 26-year member of ASIS.

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is Editorial Director of the Endeavor Business Media Security Group, which includes SecurityInfoWatch.com, as well as Security Business, Security Technology Executive, and Locksmith Ledger magazines. He is also the host of the SecurityDNA podcast series. Reach him at [email protected].