On June 26, 2017, a new type of ransomware called NotPetya began attacking computing systems across the globe. It originally targeted major systems in the Ukraine including banks, postal services, airports, power companies, and more. But it quickly spread outside its targeted zone, expanding across 64 countries including Brazil, Germany, Russia, and even the United States. We take a look at what this NotPetya ransomware is, what systems are affected, and how you can stand guard against this specific attack.
What is the NotPetya ransomware?
NotPetya (or Petwrap) is based on an older version of the Petya ransomware, which was originally designed to hold files and devices hostage in turn for Bitcoin payment. However, despite NotPetya’s attempt to collect money in its fast-moving global attack, it doesn’t appear to be strictly out for money. Instead, NotPetya is encrypting the filesystems of machines to damage companies. The ransomware aspect is apparently just a cover.
What makes NotPetya dangerous is that underneath the ransomware-based front is an exploit called EternalBlue, allegedly designed by the United States National Security Administration (aka the NSA). It targets a specific, vulnerable network protocol called Server Message Block (version 1) used for sharing printers, files, and serial ports between networked Windows-based PCs. Thus, the vulnerability allows remote attackers to send and execute malicious code on a target computer. The Shadow Brokers hacker group leaked EternalBlue in April of 2017.
The NotPetya ransomware also includes a “worm” component. Typically, victims fall prey to ransomware by downloading and executing malware disguised as a legitimate file attached in an email. In turn, the malware encrypts specific files and posts a popup window on the screen, demanding payment in Bitcoins to unlock those files.
However, the Petya ransomware that surfaced in early 2016 took that attack a step further by encrypting the PC’s entire hard drive or solid state drive by infecting the master boot record, thus overwriting the program that begins the Windows boot sequence. This resulted in an encryption of the table used to keep track of all local files (NTFS), preventing Windows from locating anything stored locally.
Despite its ability to encrypt an entire disk, Petya was only capable of infecting a single target PC. However, as seen with the recent WannaCry outbreak, ransomware now has the capability to move from PC to PC on a local network without any user intervention. The new NotPetya ransomware is capable of the same lateral network infestation, unlike the original Petya version.
According to Microsoft, one of NotPetya’s attack vectors is its ability to steal credentials or re-use an active session.
“Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines,” the company reports. “Once the ransomware has valid credentials, it scans the local network to establish valid connections.”
The NotPetya ransomware can also use file-shares to multiply itself across the local network, and infest machines that are not patched against the EternalBlue vulnerability. Microsoft even mentions EternalRomance, another exploit used against the Server Message Block protocol supposedly conjured up by the NSA.
“This is a great example of two malware components coming together to generate more pernicious and resilient malware,” said Ivanti Chief Information Security Officer Phil Richards.
On top of NotPetya’s fast, widespread attack, there exists another problem: payment. The ransomware provides a popup window demanding victims to pay $300 in Bitcoins using a specific Bitcoin address, Bitcoin wallet ID, and personal installation number. Victims send this information to a provided email address that responds with an unlock key. That email address was quickly shut down once German parent email provider Posteo discovered its evil intent.
“We became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away,” the company said. “We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”
That means any attempt to pay would never get through, even if payment were the goal of the malware.
Finally, Microsoft indicates that the attack originated with Ukrainian company M.E.Doc, the developer behind the MEDoc tax accounting software. Microsoft doesn’t appear to be pointing fingers, but instead stated that it has proof that “a few active infections of the ransomware initially started from the legitimate MEDoc updater process.” This type of infection, notes Microsoft, is a growing trend.
What systems are at risk?
For now, the NotPetya ransomware seems to be focused on attacking Windows-based PCs in organizations. For example, the entire radiation monitoring system located in the Chernobyl nuclear power plant was knocked offline in the attack. Here in the United States, the attack hit the entire Heritage Valley Health System, affecting all facilities that rely on the network, including the Beaver and Sewickley hospitals in Pennsylvania. The Kiev Boryspil Airport in the Ukraine suffered flight schedule delays, and its website was knocked offline due to the attack.
Unfortunately, there’s no information pointing to the exact versions of Windows the NotPetya ransomware is targeting. Microsoft’s security report doesn’t list specific Windows releases, although to be safe, customers should assume that all commercial and mainstream releases of Windows spanning Windows XP to Windows 10 fall within the attack window. After all, even WannaCry targeted machines with Windows XP installed.