Data Destroying “NotPetya” Masquerades as Ransomware

July 3, 2017 | By James Raymond

Did the NotPetya Ransomware Have More Ulterior Motives?

Is the “NotPetya Ransomware” much more than a deadly ransomware? Also being called as Petya, ExPetr, SortaPetya, Petrwrap, Goldeneye, Nyetya, “WannaCry’s bad cousin”, etc…, this global attack has led to shutting down of machines, offices, firms, factories and ports in many countries. Cyber security experts suggest that the “ransomware” disguise could have been to mislead organizations, cyber security experts, the press and public until a considerable amount of data had been destroyed.

Ransomware

A Wiper Rather Than a Ransomware

Cyber security analysts poring over its code and how it works inferred that the ransomware threat was just an eyewash. The malware code has “discrepancies” (intentional or otherwise) that would prevent decryption of the encrypted data even if the key was available. NotPetya seems to be a “wiper” – a destroyer of data, having no idea of allowing any recovery of data. So, even if a victim was willing to pay the demanded ransom, there was no way of recovering the data. Only solution: Recover from backup.

The NotPetya Ransomware spread worldwide at an alarming rate. Initially, it was believed to be a sophisticated strain of the WannaCry ransomware outbreak that had earlier inflicted significant damage affecting networks and systems all over the globe. The reason: NotPetya exploited the same vulnerability in Microsoft Windows operating systems. Later observations, however, revealed that this attack could be a new strain of the Petya encrypting ransomware that had first been detected in 2016.

The NotPetya Strain

Once the NotPetya malware enters a system/machine, it waits for a certain period of time during which period it is believed to be stealing credentials (administrative passwords), studying the network and spreading to other computer systems. Then it restarts the infected computer and during the booting process, it displays a screen that – “CHKDSK is running” -, while actually, it is replacing the computer’s Master Boot Record to prevent the user from accessing the operating system, and then encrypting the Master File Table. NotPetya then goes on to encrypt all data on the disk.

The Capabilities of NotPetya

  • NotPetya has worm capabilities that enable it to spread to other networks utilizing the EternalBlue SMB exploit and EternalRomance exploit.
  • It can steal administrative passwords using Mimikatz
  • It can spread within a compromised network through WMIC and PSExec, and
  • It can encrypt data

How the NotPetya Infection was initialized

The NotPetya outbreak was initially observed in Ukraine from where it rapidly spread across Europe and then to other continents. Organizations and businesses that have to collaborate with the Ukranian government have to use an accounting program called – MEDoc. Preliminary reports state that the attackers injected the malware through MEDoc software’s update mechanism. Possibly, the attackers had breached the update servers of MEDoc. As the NotPetya malware had the traits of a worm it spread rapidly across systems connected to the network through corporate VPN. The perpetrators also spread the malware through drive-by download by compromising a Ukrainian government website. The multiple vectors of infection prove the sophistication of the attack.

Prominent Organizations/Businesses Affected

The attackers seem to have targeted enterprises worldwide and more than 65 countries including Ukraine, Russia, U.S., India, and Western Europe have been affected. Prominent victims include the Ukrainian central bank, Ukrainian power companies, Rosneft – the Russian oil producer, A.P. Moller-Maersk – the Danish transport and energy company, Borispol Airport, SaintGobain, Merck – the pharma giant, the DLA Piper law firm in the U.S. and WPP, the world’s largest advertising company, and others.

The Purpose of the Outbreak

There are multiple theories for the purpose of this attack:

  • Financial gain through ransom
  • Financial gain through manipulating the bitcoin market
  • Destroying data
  • Cyber war – a nation state-sponsored attack on Ukranian organizations and businesses to destroy data on their computer systems.

Ignorance of Patch Updates

In March 2017, Microsoft had released the MS17-010 patch update, and many organizations that did not apply those patches had been routed by the WannaCry ransomware attacks. Organizations that have applied this update are quite safe. This attack utilized a modified version of the EternalBlue SMB exploit that was effectively used by WannaCry to spread to other machines. Applying the MS17-010 patch would block the attack.

Preventive Solutions and Vaccine

If you have not yet been infected, but suspect/fear that you may, then

1. Keep your operating system updated
2. Update all applications
3. Back-up your data and store it off-line
4. Try to avoid using high-privilege accounts
5. Educate employees on not to click on attachments
6. Install an endpoint security solution that effectively monitors real-time behavior.
7. Install the vaccine – create a file named “perfc” in the C:\Windows folder and provide read-only permissions to the file. The malware seems to check for the existence of this file, and if it does then it does not infect that computer.

Effective Long-term Solutions against NotPetya Ransomware

Petya, NotPetya, WannaCry, or whatever – whether it is a wiper, ransomware or any other malware – an effective preventive solution is needed against existing, evolving and emerging threats. Comodo provides one-of-a-kind robust endpoint security solutions that stop not only the likes of NotPetya or WannaCry but any threat through its advanced default-deny and auto-containment technologies.

Endpoint Security

Be Sociable, Share!
Be Sociable, Share!

Add new comment

Your name
Comment

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>