TRENDING
TRENDING
Petya-like malware:
the who, how and why
it unbootable. If this was not possible, AES-128 keys were
used to encrypt each individual file, with the AES keys
subsequently being encrypted using an RSA-2048 public key.
To obtain the private RSA key necessary to recover the AES
keys, victims were instructed to transfer $300 USD in Bitcoin
to a specified Bitcoin ID and send their wallet ID and victim
ID number in an email to a specified address.
Why?
NotPetya and WannaCry are a sign of things
to come, explains Rick Holland, Vice President,
Strategy, Digital Shadows
While the malware’s functionality has reportedly made it
highly effective at propagating to machines within a local
network, it has been reported as having no function for
spreading outside of these local networks. It was therefore
assessed as likely to be much more effective for conducting
targeted attacks than WannaCry.
In the case of NotPetya, it is highly likely that the ransom
payment method was never intended to result in revenue for
attackers or the recovery of victim data. Although the email
service provider with which the account was registered has
publicly announced that this account has been disabled, it
has subsequently been reported that victim ID numbers were
pseudo randomly generated rather than being derived from
the RSA key used for AES key encryption.
This indicates that it would not be possible for the threat
actors to provide victims with the correct decryption key,
even if a victim had paid the ransom and succeeded in
making contact. Furthermore, Matt Suiche has reported that,
unlike Petya, which encrypts an infected machine’s MBR
in a reversible manner, this malware reportedly irreversibly
overwrote 24 sector blocks of the MBR section of an infected
machine’s disk, rendering it permanently inoperable.
With monetary gain as a motivation out the picture, the most
likely motivation left for NotPeyta’s behaviour is destructive
malicious intent.
Who?
L
ate on 27 June, the New York
Times reported that a number of
Ukrainian banks and Ukrenergo,
the Ukrainian state power distributor,
had been affected by unidentified
malware which caused significant
operational disruption.
Multiple security vendors and
independent researchers subsequently
identified the malware as a wormable
ransomware variant with functional and
technical similarities to Petya. Based
on these similarities and continuing
confusion, the malware has been
dubbed Nyetya, Petna, ExPetr and
NotPetya, among others. It has been
16
INTELLIGENTCIO
How NotPeyta works MeDoc’s software update process.
Once the malware was installed, intra-
network propagation functions enabled
it to rapidly spread between networked
machines over the following vectors:
A social media account used by the
National Police of Ukraine Cyberpolice
Department suggested that the
reported infections originated from a
compromised software update delivered
to users through MeDoc, a Ukrainian
accounting software provider. While
MeDoc has denied this, Microsoft has
confirmed that a small number of
infections were the result of malware
being delivered to machines by the • EternalBlue and EternalRomance
exploits: these are exploits for SMB
remote code execution vulnerabilities
(CVE-2017-0144 and CVE-2017-0145)
leaked by the Shadow Brokers in April.
These exploits were reportedly used
to propagate between networked
machines running SMB. Patches for
these vulnerabilities were released by
Microsoft in March (MS17-010) and
in May.
linked with a large number of infections,
a significant proportion of which
affected machines in Ukraine.
www.intelligentcio.com
• PsExec: The ransomware used a tool similar to Mimikatz
to harvest user credentials. These credentials were then
passed to an older version of the PSExec Windows tool which
was dropped by the malware. This tool then attempted to
use PowerShell remote functionality to copy itself onto a
target machine and begin execution.
• Windows Management Instrumentation (WMI): The
malware also enumerated Windows network shares with
WMI and attempted to launch a copy of itself on any
discovered network shares.
Once installed, the malware functioned similarly to Petya,
checking for the availability of administrator privileges by
using the Windows API AdjustTokenPrivileges function.
If this was successful, the malware would overwrite the
infected machine’s Master Boot record (MBR), rendering
www.intelligentcio.com
Clues lie in the geopolitical context and the initial target
geography of the malware. Kaspersky Labs have claimed a
60/30% split (total number of infections unknown) between
Ukraine and Russia. Additionally, the initial attack occurred
during the Ukrainian holiday celebrating independence
from Russia. Although these facts are interesting – and they
do suggest that the malware was actively aimed at the
Ukrainian economy – they are circumstantial and do not
conclusively link the incident to any particular nation state.
Attribution is and will continue to be a challenge.
The technology behind this attack is well within the range
of many hacktivists and cybercriminals, and so these details
have less diagnostic value when considering the ‘who’.
Although speculative, there are other factors to consider:
the supply chain compromise, efforts at obfuscation
(hiding the wiper as ransomware), the geography that the
malware was deployed in and the timing of the deployment
INTELLIGENTCIO
17