The NotPetya malware that encrypted files and incapacitated thousands of Windows computers across the globe this week is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts according to www.bleepingcomputer.com/...
Experts say that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, instructing victims to make BitCoin payments, but analysis of the source code revealed that users will never be able to recover their files, since Petya saves a randomly generated infection ID to perform the decryption, while NotPetya does not. This reinforces the theory that the main goal of the NotPetya attack was not financially motivated, but destructive.
The author of the original Petya also made it clear that NotPetya is not his work, dispelling any rumors that this was a Petya offshoot.
Slovakian security software firm ESET released statistics on Thursday showing 75% of the infections detected among its global customer base were in Ukraine, and that all of the top 10 countries hit were located in central, eastern or southern Europe.
From www.bleepingcomputer.com/… -
With the point of origin and most victims residing inside its borders, it's pretty obvious that Ukraine was the victim. There is no palpable evidence to point the finger towards an attacker, but Ukrainian officials had already blamed Russia, who they accused in the past of several other cyber-incidents going way back to 2014.
The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware.
See www.bleepingcomputer.com/… for some more technical details on the malware.
Infection Vector
The malware was first deployed using the software update process for a legitimate accounting software product called MeDoc. Once a PC gets infected, it rapidly infects other PCs across an organization.
From newatlas.com/... -
Early reports hypothesizing the source of the infection as coming from some Ukranian accounting software called MeDoc have now been confidently verified by Microsoft. The company's security blog says, "Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process."
According to www.theregister.co.uk/…, NotPetya and other similar malware use various methods to gain admin access to computers, lift admin credentials out of the RAM and access other systems on the internal network -
- By using various exploits originally created by the NSA (see below).
- Tricking a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges.
- Feeding a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya used this method with the MeDoc accounting software update.
- Similarly via phishing emails.
Vaccine
www.bleepingcomputer.com/… describes a vaccination technique for individual PCs. Creating a file called perfc in the C:\Windows folder and making it read only, causes the NotPetya code to skip it’s encryption logic.
Also, we should take preventative measures such as keeping software up-to-date, enable anti-virus software, and enabling firewall software in Windows and in home routers.
Why Masquerade as Ransomware?
Some security researchers, including Kaspersky Lab, believe that the malware was masquerading as ransomware in order to lure the media into covering it as a follow-up to the WannaCry incidents.
Wannacry was the malware that on May 12 struck across Europe, including UK's National Health Service (NHS), encrypted Windows hard disks and demanded $300 in Bitcoins from victims to restore their disks. It affected more than 230,000 computers in over 150 countries, with the NHS, Spanish phone company Telefónica and German state railways among those hardest hit.
WannyCry and the NSA
According to www.engadget.com/…, in April, a hacking group called The Shadow Brokers dumped a cache of Windows' exploits it stole from the NSA (yes, our NSA). The group had decided to start leaking exploits it stole from the agency after it was unable to find a buyer for the government's hacking tools. Inside that April drop was a remote code execution vulnerability called "EternalBlue" (aka MS17-010). Fortunately, Microsoft issued a security patch that fixed EternalBlue in March. But not everyone had applied it to their machines. That allowed malware such as WannaCry, Petya and NotPetya to set up shop inside vulnerable computers.
NSA’s exploits have amusing names such as ESKIMOROLL, EMPHASISMINE, ETERNALROMANCE, ETERNALBLUE, ETERNALCHAMPION, ERRATICGOPHER, ETERNALSYNERGY, EMERALDTHREAD, ESTEEMAUDIT, EXPLODINGCAN and EASYPI. See www.theregister.co.uk/… for additional info.
Lawmakers (Democrats, of course) are getting concerned about the ability of NSA to protect these weapons and are seeking answers. E.g., see “Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons” — www.nytimes.com/…
RaaS — Ransomware-As-A-Service
Developers of ransomware software are now making it affordable and convenient for small and large criminal organizations and terrorist groups to adopt this technology.
From www.forbes.com/… —
RaaS (Ransomware-As-A-Service) is designed to make cybercrime accessible to anyone, no matter how limited their programming mastery. Advanced cybercriminals author the malicious code, then make it available for others to download and use. The authors may provide the ransomware for free or charge a small fee up front, often opting to take a cut of each ransom. This incentivizes a higher volume of attacks and higher ransom requests.
Ransomware is not only cheap to purchase and download; it’s also easy to spread. In comparison to other types of popular attacks, you don’t need to be tech-savvy or have expensive equipment, which means more and more cybercriminals are turning to this type of misconduct. It also produces a quicker payout than stealing credit card data or personal information. Perhaps most importantly, there is a lower risk of being caught due to the anonymity of Bitcoin.
See blog.trendmicro.com/… and thehackernews.com/… for examples of RaaS available on the dark web.
Meanwhile, our government is focusing on deporting undocumented workers and their families on petty charges and stopping grandmas from entering the U.S.
What’s the Matter with Ukraine?
Ukraine has been the unfortunate target of Russian cyber warfare for the past several years. This article at Wired about Russian cyber warfare in Ukraine is quite startling in its revelations and implications.
And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyberassault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cybersecurity.
The Future
The threat from cyber warfare goes much beyond fake news and twitter/facebook bots and destruction of computer systems. How secure are our voting systems, computers that run our infrastructure and our weapons systems, especially against an enemy with deep pockets, technical resources and a psychopathic attitude?
And how can we protect ourselves when people in high places are compromised and will take no steps to counter these threats let alone investigate them?
References
- Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware — www.bleepingcomputer.com/…
- Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide — www.theregister.co.uk/…
- Is the "NotPetya" ransomware a Russian cyberattack in disguise? — newatlas.com/...
- Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak — www.bleepingcomputer.com/…
- The day a mysterious cyber-attack crippled Ukraine — www.bbc.com/...
- Ransomware-As-A-Service: The Next Great Cyber Threat? — www.forbes.com/...
- Outsourcing crime: How Ransomware-as-a-Service work — blog.trendmicro.com/...
- How An Entire Nation Became Russia's Test Lab for Cyberwar — www.wired.com/…
-
Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons — www.nytimes.com/...
P.S. Thanks to modern technology, I wrote and published this diary online while flying on a commercial jetliner :-)