This week saw another large-scale cyber-attack sending shock waves as it hit world leading enterprises and national IT infrastructures. NotPetya seemed to be yet another successful, fast spreading ransomware attack, but is now widely believed to be sophisticated wiper malware disguised as ransomware. In this blogpost, we will describe the attack and the malware behind it, discuss the meaning and implications of the events and lastly, present key takeaways and lessons learned.
The attack began early on Tuesday June 27th, and in the first half of the day appeared to be a wide spread attack across Ukraine, but with no major implications elsewhere. As the day progressed, more and more reports, mainly from Europe and the Americas, indicated that much like several weeks ago, when Wanna-Cry first hit, this attack is spreading fast and infected organizations are taking a major hit.
We believe NotPetya was written by a sophisticated threat actor. NotPetya elegantly implements concepts and exploits that proved to be successful in Petya and WannaCry, and combines them with additional methods for lateral movement and user output tricking victims. As a result of the media buzz, the attack and its scope are becoming more difficult to understand and analyze.
Initial Attack Vector and Lateral Movement
The first clue to the NotPetya focus on Ukrainian targets can be found in its initial attack vector. It appears that a legitimate update process (EzVit.exe) for a tax accounting software developed by the Ukrainian company M.E.Doc has been compromised and executed command lines dropping the malware. This was confirmed by Ukrainian Cyber Police and Microsoft Telemetry.
There are have also been reports of the malware being dropped by RTF files exploiting CVE-2017-0199 which allows to execute VBS and PowerShell commands contained in HTA files (the exploit downloads the HTA from a URL found in OLE2 files embedded in mostly RTF or doc files).
Infection based on supply chain vectors is impressive on its own, but lateral movement is this malware’s specialty. NotPetya can spread onto the network using credentials stolen by an adapted 32/64 bit Mimikatz version. Once credentials are stolen, the malware will rigorously search for network connections (enumerate all network adapters, DHCP leases). It will try to connect to every on TCP ports 139 and 445. Eventually it will copy the binaries onto the new victim machines and will then attempt to execute them using legitimate tools PSEXEC or WMI command line.
Other than that, NotPetya also leverages both Eternal-Blue and Eternal-Romance, the recently leaked and patched SMB vulnerabilities. Where these exploits apply, they are used to copy and execute the malware.
Behavior and Encryption
1. The malware will first overwrite the MBR (hence the resemblance to Petya) with code that will display the ransom message and encrypt the files on the drive.
2. At this point the malware will also check for hashes of process names. Brute-Forcing the hashes confirmed those to be Kaspersky, Norton Security or Symantec processes. NotPetya will change its behavior accordingly (not run PSEXEC for example) or even not run at all. It will also verify the existence of the DLL perfc.dat (the same sample) to refrain from double execution. This can indeed be used as a “kill switch” of a sort.
3. It will then carry out its worm-like behavior described above and attempt to move laterally.
4. Then files encryption will start. It is interesting to note that files are encrypted using file mapping API’s (CreateFileMapping and MapViewOfFile) rather the more standard ReadFile/WriteFile API’s. We believe this is done to evade heuristic signatures that identify excessive use of the latter. Another evasive measure is deleting logs
5. Once encryption of files is completed (file types list at the end) the system will randomly reboot within 10-60 minutes.
6. During the boot a chkdsk screen will appear. Meanwhile the Master File Table – MFT will be encrypted as well.
7. Than finally the infamous ransom note will appear.
So, it’s not ransomware?
So far, sounds like we have a well-planned and written ransomware. But it is not. Right from the beginning of the attack two of its features seemed to be not consistent with a ransomware campaign aimed at monetization. First, a single Bitcoin wallet used for all ransom payments is a rare occasion. Second, the email to send payment and ID information is a regular account on a well-known German webmail service. The email address was deactivated shortly after the attack became known.
Those were early hints to the more important discovery – NotPetya’s encryption of files and corruption of MFT and the MBR are not meant to be reversible. Researcher Matt Suiche was among the first to realize that the MBR sectors overwritten are not stored anywhere and are lost (unlike original Petya code that encodes or encrypts them in a reversible manner).
Moreover, the so called “installation key” is randomly generated and cannot be used for providing a key for decryption. And while the encryption seems to be using standard AES implementation, encryption experts are saying there might be some bugs in the code that might render files un-decipherable even with the right key.
Well, we now have “ransomware” whose creator we can’t contact, has irreversibly damaged hard disk sectors, and encrypted the MFT and most of the file system, while the encrypted key (which should be decrypted and then used for decryption of files) is nowhere to be found.
This pretty much proves what everyone has come to realize – This was a destructive wiper attack, using Ransomware methods and user experience to attract publicity and resonate the effects of the attack. As mentioned earlier, the combination of powerful lateral movement capabilities and a sophisticated initial attack vector made NotPetya a remarkable campaign and unfortunately a successful one in the eyes of its perpetrators.
It remains unclear if the attack was intended to be contained to Ukraine only. While it is obvious that Ukraine was a big priority for the attackers, we doubt they didn’t expect the variants to travel much further than that quite fast. since we believe the attackers fully understood the potential effect and spread this campaign could have.
This attack reminded us yet again, that many security solutions are struggling with new, unseen and sophisticated malware. Unfortunately, this struggle translates to huge, renowned enterprises based on multi-layered security postures still being vulnerable to advanced attack groups.
Another disturbing take away is the (rising) use of supply chains and legitimate tools as attack surfaces and enablers. This tactic requires industry officials as well as IT professionals to be more innovative and creative in finding solutions and mechanisms that minimize threats and risks while not creating overly policed, regulated and compliance oriented (rather than task oriented) work environments.
Since the start of this attack, Deep Instinct’s Research Team has been collecting and reviewing all samples associated with it. We are happy to report that Deep Instinct’s customers have been fully protected from NotPetya throughout the attack without any need for updates. The predictive nature of Deep Learning as it is applied in Deep Instinct’s technology has once again proven to be essential in protecting against today’s threats.
.3ds, .7z, .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc ,docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc .vmdk, .vmsd., vmx., vsdx., vsv, .work .xls, .xlsx, .xvd, .zip