NotPetya: Not your average ransomware

Ransomware is often considered a somewhat low-stakes annoyance: in most cases, the data itself doesn’t leave the network and public operations aren’t compromised. NotPetya changed the game - it’s shown us the potential of how wildly damaging ransomware infections can be from here on out. It can feel like science fiction at times, but is now utterly reasonable to consider any data or device with a CPU and memory on your network as something that can be held hostage by ransomware. 

Ransomware has proven to be a lucrative endeavour: more and more central and important systems are being targeted. Cryptolocker targeted family photos. Later variants somewhat indiscriminately encrypted any user file they had access to - and last month, we saw NotPetya locking out machines entirely.

NotPetya was first noticed at the end of June, after taking down government computers and critical infrastructure in Ukraine before spreading further afield. Early repercussions ranged from the reported shutdown of the Kiev metro system to freezing the IT systems of global shipping firm A.P. Moller Maersk. It was an attack that echoed WannaCry, using the same NSA exploit – EternalBlue – but with a new twist: a different ransomware variant which prevented victims from rebooting their systems.  

NotPetya didn’t just encrypt data for a ransom but instead hijacked computers, preventing them from working altogether. In contrast to previous ransomware variants, application, file and database servers were all taken offline by this attack. Infections were reported worldwide with some victims only recently regaining use of their services and others - such as Reckitt Benckiser - announcing a potential loss of revenue in the £100 million mark.   

The NotPetya Pandemic 

NotPetya was initially thought to have been spread throughout corporate networks using emails with infected Word documents exploiting a particularly vulnerability. In a situation similar to the WannaCry attack, those who had patched this particular vulnerability were protected from this attack. 

However, it soon emerged that the financial software MeDoc – a Ukraine-based firm – was, in fact, the attack vector. MeDoc’s software update feature was hacked and used to distribute the ransomware: once a single machine became infected, it rapidly spread to other devices which hadn’t implemented the afore-mentioned patch update. Additionally, via PsExec, even patched machines could become infected if Powershell was left enabled on them.   

This two-phase process of global distribution reveals a very deliberate and sophisticated approach to ransomware distribution: spreading across the internet and local machines, within the confines of a single network. The ‘NotPetya’ moniker speaks directly to some of the challenges in identifying and defending against malware today: the variant was originally thought to be ‘Petya’ ransomware, but it turned out that it was only pulling a portion of its code, behaviour and approach, and was instead a completely different malware that had evolved from the original variant.     

How it works 

Once a machine is infected, NotPetya waits for approximately one hour before rebooting the machine, most likely in an attempt to infect more machines. At this point, NotPetya executes four steps: 

  • Encrypts the Master File Table (MFT) of locally attached drives 
  • Copies itself into the Master Boot Record (MBR) for the infected workstation/server 
  • Forces a reboot of the machine so users are locked out 
  • Displays the ransom demand lock screen 

Encrypting the MFT means that the individual workstation – or server – is taken offline until the ransom is paid, which has the potential to disrupt an organisation more than if just some files on a server were affected. In many cases, these machines need to be individually assessed and remediated – the standard ‘restoring files from backup’ is ineffective at this point. This makes it particularly difficult for companies with remote installations worldwide, those akin to A.P. Moller Maersk for example.   

Furthermore, these brutally efficient mechanisms like MFT lockouts are making their way into future releases and central code distribution points: from MeDoc to security updates to Github and other open source repositories, and should all be considered potential attack vectors 

Defend and protect 

The first line of defence against a NotPetya-type attack closely mirrors the step many organisations will have taken to protect against WannaCry – apply the patch distributed by Microsoft. While it’s critically important to keep systems updated with the latest patches to address short term security features, in the long run, organisations need to review their security policies and make sure they’re adapting to today’s threat environment.   

Attempting to identify ransomware by what it looks like is akin to trying to prevent bank robberies by tracking how tall the people waving guns around the lobby are. Far better to treat anyone who walks up to the teller and makes a demand as a threat. By tracking what is actively happening instead of where actions happen to originate from, you can capture threats whatever the source. After all: is there a material difference to a company if its IT systems are offline for a week due to a malicious insider vs the latest ransomware variant vs a whitelisted app that was badly configured? 

Cyberattacks – whether malware, ransomware, or otherwise – are becoming more and more sophisticated. Beyond the advanced execution and new techniques of infection, the objectives of these attacks are evolving as well: NotPetya turned out to be less financially motivated ransomware as originally thought, and instead now suggests a more nefarious turn, with a longer term goal of causing more significant and lasting damage. 

A global cyberattack can have catastrophic consequences: causing continued economic losses, bringing critical infrastructure to a halt, and exploiting vulnerabilities that will have far-reaching repercussions.  We’ve got to be proactive in planning for attackers breaching the first line of defences and update security practices to protect data from the inside, for when - not if - perimeter security fails.  A unified security strategy that protects critical data and infrastructure from the inside is paramount in maintaining a strong line of defence against these cyberattacks - and will protect organisations from the next big cyberattack. 

Matt Lock, Director of Sales Engineers, Varonis 

Image Credit:  WK1003Mike / Shutterstock