This isn't ransomware – it's merry chaos
Analysis It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.
The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out businesses from shipping ports and supermarkets to ad agencies and law firms. Once inside a corporate network, this well-oiled destructive program worms its way from computer to computer, encrypting the infected machines' filesystems.
Although it demands about $300 in Bitcoin to unscramble the hostage data, the mechanisms put in place to collect this money from victims quickly disintegrated. Despite the slick programming behind the fast-spreading malware, little effort or thought was put into pocketing the loot, it appears.
"The superficial resemblance to Petya is only skin deep," noted computer security veteran The Grugq. "Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [latest malware] is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”
Here's a summary of the NotPetya outbreak:
In the beginning
- The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Minikatz to extract network administrator credentials out of the machine's running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them.
- It also uses a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency's stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
- Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
- One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
- With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation's hard drive's MBR so that only it starts up when the machine reboots, rather than Windows, allowing it to display the ransom note; it can also encrypt the filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people's data. Needless to say, don't pay the ransom – there's no way to get the keys to restore your documents.
- Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You'd be surprised how many outfits are too loose with their admin controls.
- The precise affected versions of Windows aren't yet known, but we're told Windows 10's Credentials Guard spots NotPetya's password extraction from memory.
- Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.
So far, the vast majority of infections have occurred in Ukraine and Russia, but some big names in the West have also suffered. International advertising conglomerate WPP was taken offline (even its website was down), global law firm DLA Piper was infected and, most worryingly, shipping goliath Maersk is warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were borked for hours by the malware.
In Ukraine itself, which appears to be ground zero for the attack, the situation was critical. Large numbers of businesses were caught by the software nasty – the contagion has broken the automatic radiation monitoring systems in Chernobyl, meaning some unlucky scientists are going to have to take readings manually for the time being. Energy companies were hit as well as government agencies.
According to Ukraine's cyber-cops, as well as phishing emails booby-trapped with malware-laden attachments, financial software firm MeDoc was used to infect computers in the ex-Soviet nation. We're told miscreants managed to compromise a software update for the biz's products, which are widely used in the country, so that when it was downloadable and installed by victims it contaminated their network with NotPetya. If this software was running with domain admin access, it would be immediately game over....MUCH MORE