Petya/NotPetya 'ransomware' attack hits global systems

Coming so soon after WannaCry, the Petya/NotPetya 'ransomware' attack underlines the need for organisations to stay alert.

By John Oates

Wed 28 Jun 2017 @ 15:02

Dozens of large companies and government organisations have been hit by the latest 'ransomware' outbreak this week, initially identified as a variant of Petya.

The attack began in Ukraine but quickly spread across the world. It used the same NSA-identified hole EternalBlue, which WannaCry also exploited. In a more sophisticated development, the malware also seeks out administrator rights and log-in credentials on infected computers to take control of other machines on the same network. Criminals demanded $300 in bitcoin to decrypt the system.

The attack hit manufacturing, shipping and airport systems. It even took out radiation monitoring systems at Chernobyl. Further afield it hit advertising giant WPP in the UK and a Cadbury’s chocolate factory in Australia.

The program was spread across Ukraine by using an update service for a popular tax return software as well as phishing emails.

Further analysis showed the ransomware was actually only superficially similar to Petya. It forces machines to reboot and then it appears to be running CHKDSK while it is actually scrambling master file tables as well as encrypting certain file types within the file system.

The malware then scans for other machines on the network it can access and checks the machine’s memory for log-in details to give it admin access. Once it has encrypted the machine it displays the ransom note and payment instructions.

However, unlike WannaCry the new variant does not try to spread beyond the local network.

There are other oddities to this attack.

The attackers asked for a ransom in bitcoins, as is traditional. But they asked for the money to be sent to a specific email address, which was quickly shut down by the attackers’ ISP. Despite the huge spread of the software, the criminals only made a few thousand dollars. Also a check performed before infection occurs for the presence of a file in the root of the “Windows” directory has allowed a very simple yet effective vaccine to be created, limiting the damage somewhat.

Typical ransomware attacks have a specific bitcoin address for each victim – so that the crooks know who has paid and victims have some belief that their systems will be decrypted if they pay up. Or as in the case of WannaCry, a decryption facility.

The malware also attacked a limited selection of file types – ransomware usually goes after almost every file type. Security researchers are still trying to work out the true purpose of the attack, if money was not the main intent.

Suspicions from some media outlets, including the LA Times, are that it was a cyber-attack directed at Ukraine as a result of its ongoing hostilities with Russia or even a dry run for a more sophisticated attack.

Despite the differences in this attack the lessons for organisations remain the same.

Andrew Costis, threat research and incident response engineer at LogRhythm, said: "This has some similarities to WannaCry but it has additional, sophisticated ways to move laterally across the network. It uses the EternalBlue hole, but assuming that hole has been patched, it additionally uses credential harvesting, network shares and looks for sysadmin tools to help it spread.

This attack revealed that some industries that struggle to find downtime to install security updates remain vulnerable to fresh attacks.

But Costis warned that even those companies that are running properly patched systems could still fall victim to this attack.

The attack highlights the importance of restricting or “least privileges” rather than handing them out to users who do not need them. Companies should also look at endpoint monitoring, network zoning and security intelligence platforms.

But the lesson for any organisation is that the threat from ransomware is real and is continuing to grow.

Attacks are increasing and they are getting ever more sophisticated in how they spread.

Costis said: “We know these guys have a stockpile of vulnerabilities they can exploit – The Shadow Brokers hacker group actually released a statement to inform the public of their next dump available in July. It is only a matter of time before the attackers refine a future release of ransomware enough to cause some serious damage.”

Ensuring every part of the organisation is patched and protected is a good first step. But the best advice is to assume that an attack will get through, however good your defences are.

That means having proper, tested back-up systems in place and practising how you react if the worst does happen. You need to know that you can quickly and fairly painlessly restore systems if – or rather when – the attackers do get through.