Teardown of 'NotPetya' Malware: Here's What We KnowMalicious Code Moves Laterally, Can Infect Fully Patched Windows PCs
A cleverly built piece of malware, based in part on previously seen Petya ransomware, continues to spread globally in an outbreak rivaling last month's WannaCry campaign.
See Also: 2022 Unit 42 Incident Response Report
Security firms are referring to the malware tied to the global outbreak by various names: NotPetya, SortaPetya, Petna, ExPetr, GoldenEye and Nyetya.
Unfortunately, the malware appears to lack WannaCry's inadvertent kill switch. Plus, it has the ability to infect even fully patched Microsoft Windows systems.
"This one's more dangerous than WannaCry," says Rob Wainwright, head of EU law enforcement intelligence agency Europol, via Twitter (see Massive Petya Variant Outbreak: More Clever Than WannaCry).
But much about the malware - hereafter referred to as NotPetya - remains unclear. That includes the identity of the individual or group who launched the attack and their motivation, as well as the "patient zero" in the attacks and how long related infections might propagate before being brought under control.
Here is what is known so far:
Affected: 65+ Countries
Security experts say NotPetya first appeared Tuesday in Ukraine and quickly spread across Europe and beyond.
On Tuesday, Microsoft counted at least 12,500 infected systems across 65 countries. Those include Belgium, Brazil, Britain, Denmark, Germany, Russia and the United States.
In the U.K., advertising firm WPP reported that it had been affected. Meanwhile, in the United States, two hospitals in Heritage Valley Health System in Pennsylvania reported infections, as did pharmaceutical giant Merck.
Infections in Ukraine have been widespread. The country's central bank, multiple government agencies and Kiev's Boryspil Airport were affected. Also, radiation monitoring systems at the Chernobyl nuclear plant were reportedly switched to manual, out of an abundance of caution, although Ukraine's state news agency says all systems at the plant are functioning normally.
Multinationals See Lateral Movement
Multinational organizations, such as Copenhagen-based shipping giant Maersk, reported that the malware was able to move laterally through their networks across geographically dispersed operations. Maersk reported outages not only in Denmark, but also the United Kingdom, Ireland and beyond.
Reports of organizations warning employees to not power on their PCs quickly began to proliferate Tuesday, including at multinational law firm DLA Piper, which has operations in 30 countries. It confirmed Tuesday that it had detected infections. "Our IT team acted quickly to prevent the spread of the suspected malware and to protect our systems," according to a statement the firm released Wednesdsay.
"We immediately began our investigation and remediation efforts, working closely with leading external forensic experts and relevant authorities, including the FBI and UK National Crime Agency," it says. "We are working to bring our systems safely back online."
Borrows from Petya
Microsoft says NotPetya uses similar code to Petya but is "more sophisticated."
Petya, which debuted in 2016, was one of the first types of ransomware to introduce full-disk encryption (see Crypto-Locking Ransomware Attacks Spike).
It's unclear why the malware was so named. Sean Sullivan, a security expert at Finnish security firm F-Secure, says the name Petya is Russian for "little Peter."
It's apparently "the common Russian diminutive for the male given name Piotr." https://t.co/ZiAHFlVgbA— Sean Sullivan (@5ean5ullivan) June 28, 2017
But security researchers say little of NotPetya is based on Petya.
"Most likely someone ripped the boot loader code straight out of Petya and uses it for their own purposes," the U.K. security researcher Marcus Hutchins, aka MalwareTech, who discovered the WannaCry kill switch, says in a blog post. "But they implemented their own ransomware, their own worm, their own dropper and pretty much everything else on top of it."
Some security researchers say NotPetya's apparent similarity to other ransomware may be a ruse because developers created only a single channel for remitting payments to attackers.
Matthieu Suiche, managing director of Dubai-based incident response firm Comae Technologies, says via Twitter that the malware may have been designed to function as a wiper - leaving systems unusable - rather than as a source of revenue.
"The code itself [looks] more like a wiper than an encoder," he says.
Leaked Equation Group Tools Used
The malware can spread by using two attack tools built by the "Equation Group" - likely the National Security Agency - and leaked by the Shadow Brokers. The tools generate packets that attempt to exploit an SMB flaw in prior versions of Windows.
"The new ransomware can spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines," Microsoft says. "In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin).
"Machines that are patched against these exploits (with security update MS17-010) or have disabled SMBv1 are not affected by this particular spreading mechanism."
Unfortunately, many internet-connected devices still run SMB, according to security firm Rapid7. It says SMB should never be exposed to the internet.
But NotPetya includes multiple spreading techniques, including "via a malicious document attached to a phishing email, requiring a victim to download and open it," Rapid7 says in a blog post.
"After that, it does indeed use the EternalBlue and DoublePulsar exploits to spread laterally," it says. "Unlike WannaCry, though, it is currently using these mechanisms to spread only on internal networks."
Multiple Propagation Methods
Once NotPetya infects a system, however, it can spread laterally, using other techniques, to other systems that touch the same networks. "It will begin to hijack local credentials from the Windows Local Security Authority (lsass.exe), then leverage those credentials via PsExec or WMI in an attempt to remotely compromise other systems on the local network," Kirk Soluk, manager of the ASERT threat intelligence and response team at Arbor Networks, says in a blog post.
Both PsExec (psexec.exe) and Windows Management Instrumentation (wmic.exe) are legitimate tools built into Windows. "In many enterprises, this activity will not be blocked and is likely to fly under the radar as typical remote administration activity," Soluk says. "If a widely used administrative credential is compromised, it could very quickly be game over for many systems regardless of whether the patch for MS17-010 has been applied or not."
Rapid7 says the malware uses an open-source tool to grab PsExec or WMI credentials. "We've confirmed that this ransomware uses a lightly modified version of mimikatz to extract credentials from memory for use in its PsExec and WMI vectors for spreading," Rapid7 says. "Mimikatz is a widely used open source security tool used primarily by security researchers to understand how credential handling is performed in Windows environments."
Eyewitness Infection Account
One eyewitness account of an infection, shared by Scotland-based Colin Scott , bears this out.
Scott says systems at his unnamed firm were mostly patched against MS17-01. Even so, he says it appears that one PC initially became infected, and the virus extracted credentials from this system before propagating across the network.
"Could have been a workstation admin's account, giving the virus admin rights to all PCs in the local area. Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with its PSEXEC/WMIC code. The rest is history," Scott writes. "We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR; PCs that were not encrypted with McAfee showed the ransom message."
Likely Patient Zero: MeDoc User
Multiple security firms report that at least some NotPetya infections are being spread via a widely used Ukrainian accountancy software program called MeDoc. "Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process," it says.
Security researchers say MeDoc may be the "patient zero" - the first victim to be infected with the malware.
The operational security expert known as the Grugq notes in a blog post: "Everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two approved accounting software packages)." So an attack launched from MeDoc would hit not only Ukraine's government, but many foreign investors and companies. It seems that Maersk was also using MeDoc."
Free Decryption Unlikely
In the past, crypto errors by developers or law enforcement efforts have allowed security researchers to sometimes crack the encryption used by attackers and release free decryption tools for victims (see Two New Ransomware Decryptors Give Victims a Free Out).
But whoever built NotPetya appears to have developed their code very carefully. "Unfortunately, the ransomware uses a standard, solid encryption scheme so [developing a decryption tool] appears unlikely unless a subtle implementation mistake has been made," according to a blog post from Kaspersky Lab.
Kaspersky notes that the malware securely generates a single AES-128 key for each system, which it uses to encrypt files. The key itself is encrypted with the attacker's own, public RSA-2048 key, and this encrypted AES key gets saved to a "readme.txt" file on the victim's PC.
Malware Targets MBR
After infecting a system, the malware attempts to encrypt the master boot record - the first code that hardware looks to when powering up and before loading the operating system - according to technical analyses of the malware.
If the MBR infection is successful, the malware will reboot the system at least 10 minutes later at a randomly determined time. After rebooting, the system displays this message:
In reality, that is the malware encrypting many files on the system.
Subsequently, the malware displays its ransom message, demanding the equivalent of $300 in bitcoins for a decryption key. The malware also drops a "readme.txt" file onto the infected system that contains an encrypted version of the key that was used to crypto-lock files on the PC:
Responding to the NotPetya outbreak, the National Cyber Security Center - Britain's national incident response team - says that the guidance it promulgated in the wake of WannaCry still holds.
For enterprise IT administrators, recommendations include protecting any systems that run SMB version 1 that for whatever reason cannot be patched, and overall ensuring all legacy technology be isolated "as much as possible within your organization."
In addition, it says ensuring that anti-virus products remain active and updated remains essential.
In terms of this specific malware, Rapid7 recommends that organizations also "employ network and host-based firewalls to block TCP/445 traffic from untrusted systems," and also, "if possible, block 445 inbound to all internet-facing Windows systems."
As always, maintaining up-to-date backups - stored offline, so they can't be encrypted by ransomware that spreads via network shares - is essential. "Backups are the only full mitigation against data loss due to ransomware," Rapid7 says.
Block PSExec and WMIC from Executing
Many security experts further recommend organizations disable PsExec and wmic.exe, to better contain NotPetya outbreaks. Technologist Guy Leach, director of corporate strategy at Serco Group, has published guidance about how to use an Image File Execution Options registry key "to put a temporary, or permanent, block on these, or any other executables, so they cannot run." Even better, attempts to make them run can generate an error message, such as "call IT."
Leach says IT administrators can use Group Policy Preferences to rapidly roll this out.
Did Attackers Mess Up?
Besides rapid propagation by targeting SMB flaws, NotPetya also appears to resemble WannaCry in that its developers apparently bungled the mechanism via which victims might pay, if they are so inclined.
The ransomware has only a single email address via which victims might contact attackers. The German email service provider, Posteo, quickly suspended the account in question.
"Why do they use an email?????" asks cryptography expert Matthew D. Greene, an assistant professor at Johns Hopkins University, via Twitter. "Would it be a societal good if someone just figured out how to do the payment UX [user interface], so people at least get their data back?"
Robert David Graham, head of offensive security research firm Errata Security, says that whoever cobbled together NotPetya may have failed to properly test their code.
Or simply, somebody messed up. I've seen other ransomware with lateral movement that didn't have their email shutdown.— Rob Graham (@ErrataRob) June 28, 2017
Other theories, however, center on Ukraine as the initial infection vector, and question whether - geopolitically speaking - someone might be seeking to sow chaos in that country.