Barely after the dust has settled on WannaCry, the ransomware that affected hundreds of thousands of computers in 150 countries in May, another ransomware attack, NotPetya, started infecting organizations across Europe and into the Americas on June 27, 2017. Initially, this attack was thought to be a variant of Petya ransomware because the attackers crafted the malware to resemble Petya. Upon further analysis, it was discovered that the main distribution and payment schemes were not consistent with prior Petya campaigns.
Where prior Petya campaigns operated an organized payment and decryption key distribution system accessed via the Tor network, this attack relied upon a single email account for coordinating ransom payments and decryption keys. That address was identified and deactivated early, leading investigators to conclude it was unlikely attackers intended for it to remain operational through the duration of the campaign.
NotPetya was disseminated via the compromised software update service from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. The malware spread to more than 12,000 systems in Europe and the Americas. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft (News - Alert) Server Message Block (SMB) exploit known as ETERNALBLUE. The SMB exploit is the same method used by WannaCry ransomware, and Microsoft had already released a patch for the vulnerability.
Once NotPetya infects a system, it sets up encryption routines and attempts to spread over the network. What’s different about NotPetya is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other difference between NotPetya and WannaCry is that, while WannaCry used a killswitch domain, NotPetya doesn’t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the Internet. Our open source intelligence analysis has led us to conclude that the campaign involved the following major actions:
The end result of ransomware is to lock up the files on infected machines and demand a ransom to retrieve the data, though the true goals of the NotPetya creators may have been disruption rather than monetary gain. NotPetya’s encryption process presents a fake chkdsk splash page, which encrypts the hard disk master boot record if a privileged user executes it. Then it schedules a task to restart the system once to prompt the ransom note. If it is unable to execute the payload as a privileged user, then it encrypts the file types annotated below and writes a README.TXT ransom note.
Best practices for staying protected against ransomware
Ransomware has been constantly in the news recently. A total of $1 billion was paid out to ransomware criminals in 2016 alone. This year has seen a 6000 percent increase in ransomware infected emails compared to 2016.
Organizations should follow certain best practices to stay protected against ransomware and other advanced malware.