Petya (or NotPetya) - Another Global Ransomware Attack

Posted on 27th June 2017, by Secarma

Equifax

 

Update: 06/07/2017 - 11:00

Three recent developments to watch:

Nato "Countermeasures" - The Guardian quote a source at NATO saying that this act of Cyber attack could result in an armed response. Real lives at risk because of a Cyber attack? This would be a major change.

Return of the attackers - with the email process for recovery closed off there was no way to make contact to recover files. Today an anonymous post on pastebin.com appears to be the attackers opening a new channel for victims.

Successful Decryption - motherboard are reporting that the attackers have returned because they were able to successfully decrypt a file as a demonstration.

 

Update: 29/06/2017 - 10:00

If you have been affected by this Petya/NotPetya malware variant, then your files are most likely gone forever. Our advice on ransomware in general is "do NOT pay". This is now especially true for this situation and there are two reasons for this.

First, the ransom demands that you pay $300 worth of bitcoins and then email the address “wowsmith123456@posteo.net”. This email address has now been disabled by the mail provider as shown:

Second, analysis of the malware has found that it encrypts files in a manner which (in all likelihood) prevents decryption. Analysis from Kaspersky (see reference [3] at the bottom) confirms that.

In short: if you pay you cannot currently contact the attackers, and if you could contact them, it is unlikely that they could decrypt your files.

Petya (or NotPetya) – Another Global Ransomware Attack: 27th June 2017

Coming soon after WannaCry caused global problems in May, we have been reporting on a similar incident called Petya. Or NotPetya (depending on your take).

People initially called this Petya because previous incidents involving it also affected the booting procedure of victims in a similar way. Analysis showed however that there were significant changes leading to many calling this 'NotPetya'.

Either way, the attack infected machines across the globe in a matter of a few hours and continues to grow. For our purposes we are referring to this as Petya throughout this article, as it's simpler to have a convenient name for us to use.

Initial reports came from Ukraine where it attacked the national bank, transport ticketing systems and Kiev Airport. It would be easy to believe that this was a targeted attack, given the region's continuing problems, however hours later reports had sprung up from countries such as: Spain, the UK, Germany, France, and the US. Perhaps most worryingly, it is reported that the Chernobyl nuclear power station has been forced to monitor radiation levels manually after its sensors were affected.

The malware encrypts the Master File Table (MFT) of a Microsoft Windows machine and then shuts it down. This renders the Master Boot Record (MBR) of a machine unusable meaning that the machine now doesn't know where to look for its files. Rendering it unable to boot. All that is displayed is a ransom note, which includes the text shown below:

"If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address... "

This is an evolving incident. At Secarma we are collaborating with various organisations, as well as monitoring social media, to keep our calm and considered voice in the mix. This article will be subject to regular changes.

What do we know at this point?

When it comes to Ransomware the following is required by an attacker:

  1. A payload - something that the attacker wants to run or deliver to a victim
  2. A missile - for delivering the payload to the victim.

There is debate about which missile has been used summarised as:

  • Phishing - Some claim they observed Phishing attacks reportedly using CVE-2017-0199 (a flaw in Microsoft Office which has an available update). With Phishing, in order to get exploited by this, you would need to open a malicious Microsoft Office document and interact with it. On opening the document the payload would execute on your computer.
  • Malicious Updates - An alternative theory (confirmed by Microsoft) is that the missile was an update process from MEDoc software which is used in Ukraine. By exploiting the software update process it is speculated that the attack was able to seed itself into thousands of computers  and therefore networks in that region rapidly.

The truth may lie somewhere between the two or actually include both. For now two plausible missiles are being discussed.

As with WannaCry the payload this time is Ransomware. The attacker will make sure that you cannot access the files on your computer and will then ask you to pay a ransom to recover them.

Technical Analysis

Secarma is working with a live copy of the malware. We are using reverse engineering to detect the operation mode, and to look for potential weaknesses that may allow people to recover their PCs (though this is never guaranteed).

We have begun our analysis and are finding interesting bits to look into within our debuggers:

So far our analysis shows that it behaves in the manner listed below:

  1. Petya executes on the victim's computer.
  2. It replaces the Master Boot Record (MBR) allowing it to affect the computer pre-boot.
  3. It determines the local network addresses and scans looking for additional internal hosts to infect.
  4. It triggers a reboot of the victims machine.
  5. The ransom message is displayed.
  6. It encrypts various file types as defined in the binary
  7. It then seeks to cover its tracks by wiping logs on the affected machine.

Once running on a computer it is capable of spreading by hunting for additional computers to infect. In this manner it is considered to be a Worm.

Early indications are that it leverages the same EternalBlue exploit that WannaCry used. This exploit came from a leaked cache of NSA tools.

Further research indicates that the code uses the PsExec function in windows to spread. PsExec is a legitimate function used by system administrators to execute commands on another machine on the network. If this is the case, then the impact of this could be much more serious and not limited to outdated or unpatched systems.

Recovery

Previous versions of Petya did contain coding flaws, which allowed files to be recovered, however it is not currently known if this method will work on this new variant. Our researchers will look for such flaws in the coming days and weeks.

Detection

Virus total is an online service which can be used to subject files to anti-virus scanning from multiple vendors. By uploading a sample of malware it is possible to use Virus Total to confirm which anti-virus solutions currently detect any known malware:

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

At the time of writing only thirty-five (35) out of sixty-one (61) anti-virus solutions detected the malware:

petya virustotal

Detection rates will improve over time.

Triage Advice

The best current advice is to:

Secarma Support

Secarma consultants are standing by to help any current or new client who is facing this problem. Clients can get in contact with their account manager for advice or help if they have been affected. New clients should contact enquiries@secarma.co.uk

RESOURCES

As well as MalwareTech famously (against his will) responsible for containing the WannaCry incident:

[1] https://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html

28/06/2017: Microsoft has responded to the incident with an excellent article:

[2] https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

It explains how Petya/NotPetya may have started spreading, and goes into detail as to how an infected machine behaves to spread itself laterally.

29/06/2017: Kaspersky (provider of anti-virus solutions) have analysed the malware and determined that each file is encrypted in a non-reversible way. Even if you have paid the ransom, and are somehow able to contact the threat actor, they will not be able to recover your files. For full details please review this article:

[3] https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/

This article is aimed at a technical audience. Secarma agrees with this analysis and state that it is technically accurate.

Secarma Accreditations Crest Accredited CCSS IT Health Check Service ISO 9001 IS0 27001 Cyber Essentials Accreditation Cyber Essentials Trusted Parter Badge