The 27th of June marked a day of yet another global ransomware attack, now known as Petya or NotPetya. The cyber attack seemed to originate in the Ukraine, later spreading to Russia, Spain, France, Britain, and even further afield. There were many theories suggesting how the attack initiated, as well as how it spread and who it was targeting. Primarily, it appeared to stem from a phishing campaign, but experts later discovered that the attack originated from an update to accounting software.
As the situation continues to develop, here I will outline how the cyber attack unfolded, and what the initial perceptions were vs. what we know now, based on what we were able to analyse through our threat intelligence platform.
The initial theory
Petya/NotPetya initially appeared to be a multi-pronged attack that started with a phishing campaign targeting some banking services, critical infrastructure and the government in the Ukraine. The payload of this phishing attack seemed to be an updated version of the Petya ransomware – the older versions of Petya are well-known for their viciousness. Rather than encrypt select files, Petya overwrites the master boot record on the victim machine, it then pops up a fake “CHKDSK” screen (a real Windows disk utility) while it encrypts the Master File Table (MFT), making the machine completely inoperable.
Not long after the ransomware attack had come to the fore, there was plenty of speculation that, similar to WannaCry, the attack was being spread using the ExternalBlue exploit. This would explain why it was able to spread so quickly, having reached, within hours, targets in Spain and France, in addition to the Ukraine and other European countries. Our threat intelligence also indicated that we were starting to see US victims of the attack. Furthermore, there were reports that, in addition to the ransomware, the payload included a variant of Loki Bot. This banking trojan steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host. This means that not only could an attack like this make the victim machine inoperable, it could also steal valuable information. Amongst all the confusion and panic triggered by the attack, an attacker could then discretely take advantage of the stolen valuable information.
In addition to the EternalBlue exploit, the new attack appeared to take advantage of WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command line tool that is used to execute system management commands on Windows. Using WMIC requires a username and password, but because the payload included an information stealer, the attackers had to be able to scrape usernames and passwords from the victim machine. They would then have to use those credentials to jump from one box to the next, even boxes that were patched against the EternalBlue exploits.
How does this connect to the previous month’s WannaCry?
Interestingly, while there was no evidence that this attack was connected to WannaCry, it did look as though it was building on the success of that attack. The attackers behind the Petya/NotPetya attack appeared to have closely watched the lessons learned from the WannaCry attacks. Due to this it seemed they had built in additional capabilities, such as the use of the information stealer and the WMIC commands, to offset some protections that organisations may have put in place to protect against another WannaCry attack.
Nevertheless, the timing of the attack actually makes a lot of sense. The WannaCry attack did serve as a wake-up call for many organisations, but there is a significant difference between understanding the problem and taking action, especially in large risk-adverse organisations. While these organisations may have been aware of the need to patch, the process can still take one or two months. Therefore, many of these organisations may have been in the process of patching, but it is doubtful that they would have been able to completely patch everything. Given another few weeks, a lot of these businesses would have been fully patched, so if you were going to try again with a similar attack, that was the perfect time to do it.
The latest theory – compromised accounting software
While initial reports of the attack indicated that the delivery vector may have been a phishing campaign, as the dust settled, it in fact appeared that the attack originated from an update to accounting software called Me.Doc. According to reports, this software is mandated by the Ukrainian government. It now seems that the payload delivery was embedded inside the most recent software update and executed inside the target organisations. This type of delivery method is generally associated with advanced attacker groups, however, certain vulnerabilities within the Me.Doc software meant that sending out the disguised malware may have been a fairly simply task.
Nonetheless, it should be noted that, at this time, Me.Doc has denied that their software was used in the attack. However, on the 4th July, police in Ukraine seized Me.Doc’s servers as part of an ongoing investigation into their offices, which could lead to the accounting software firm facing criminal charges.
Petya author releases master decryption key
If there is any good news to come out of this attack it is that the developer of the original Petya ransomware has released his master decryption key. The developer, who goes by the name Janus, published a link to a file that contained the master decryption key, as confirmed by multiple security researchers.
This key will not work on the NotPetya ransomware, which, while borrowing heavily from Petya, uses a different encryption scheme. However, it will work on any rogue versions of the original Petya or GoldenEye ransomware out there. Petya and GoldenEye are still occasionally sold as part of Ransomware as a Service (RaaS) campaigns, though the RaaS has been very quiet this year.
How can we avoid damage from these types of attacks?
These attacks are unpredictable, with regard to both who and what they will target, as well as when. However, the damage from these types of attacks, even sophisticated ones like the Petya/NotPetya, can be avoided.
I would suggest all organisations take note of the following three simple steps in order to lessen the impact and repercussions should we suffer another attack in the near future:
1. Patch: It is important to keep potentially exposed systems like windows, web browsers, plug-ins and Microsoft Office fully patched to protect against known vulnerabilities.
2. Restrict: Use Microsoft’s Group Policy Object (GPO) to restrict or remove administrative tools from Desktops, that includes not only the Windows Management Instrumentation (WMI) but also PowerShell and other scripting languages. Most users do not need access to these tools, so removing them keeps your organisation safer. Note, that in this particular attack, implementing both of these steps is required to protect your organisation. If you implement just one, you will still be vulnerable.
3. Educate: When a major attack like this is going on let network users know that they can increase situational awareness and act with more caution. Keeping everyone informed, but not panicked, will increase the capability of security team.
As the first week of developments in the NotPetya cyberattack showed, the attack is fast moving and there are likely to be further discoveries on the horizon. With the outbreak of WannaCry in May and then NotPetya in June, it would be wise to expect, and be prepared for, another attack of this nature. If they have not done so already, organisations must ensure all of their potentially exposed systems are patched, that they have permission controls in place, and that they promote cybersecurity awareness and education throughout their company. While cyber attacks like this are inevitable, the repercussions can be lessened, if not avoided, by organisations maintaining a secure information technology infrastructure.
Allan Liska, Intelligence Architect, Recorded Future
Image source: Shutterstock/Carlos Amarillo