A Deep Dive into the NotPetya Ransomware Attack

A Deep Dive into the NotPetya Ransomware Attack

What we know about the NotPetya ransomware attack that started in Ukraine

Overview of NotPetya

This is a new variant of the Petya ransomware family that targets Windows systems. The outbreak began Tuesday morning. It has been referred to by several names, including PetrWrap, GoldenEye, Petya.A, Petya.C, and PetyaCry

It has several similarities to the global WannaCry outbreak that occurred last month, with some significant differences, including:

  • There is no ‘kill switch’ like that which was embedded in WannaCry that ended that attack relatively quickly
  • It can spread without relying on the SMB vulnerability patched with MS17-010
  • It reboots victims computers and encrypts the hard drive’s Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable

The Scope of the Threat

This attack is widespread and does not appear to be targeting any particular industry, region, or country. There have been many reports of Ukrainian organizations and companies being hit, including “power companies, airports, public transit, and the central bank” as well as a wide range of victims in Eastern Europe, Asia, and Europe, as well as the US. The attack also affected the radiation monitoring systems at Chernobyl.

Lastline Enterprise’s Deep Content Inspection & Classification of the Threat

Below is a screenshot of the analysis report generated from one of the malware samples we received.

Lastline’s Deep Content Inspection™ identifies every malicious behavior in the malware. With this visibility, you can see our identification of the ability to propagate the malware via remote execution and the ability to overwrite the MBR (Master Boot Record) in the list of detected activities.

Lastline’s analysis of NotPetya’s malicious behaviorsLastline’s analysis of NotPetya’s malicious behaviors

How it Spreads

There are several ways the ransomware appears to be spreading:

  • It can spread locally using the EternalBlue exploit that targeted a vulnerability patched with MS17-010, or with PsExec, utility for executing processes on remote systems
  • Talos (Cisco) reports a potential source is a software update systems for a Ukrainian tax accounting package called MeDoc (which would explain why so many organizations in Ukraine were victims)
  • Kaspersky reports that It can spread via the remote code execution exploit EternalRomance targeting Windows XP to Windows 2008 systems. Also, the ransomware uses Mimikatz to extract admin credentials from the lsass.exe process, and pass them to PsExec tools or WMIC for distribution inside a network, spreading the malware to systems not vulnerable to EternalBlue or EternalRomance exploits

Specific Behavior Once Active

Once installed, NotPetya does several things:

Screenshot from Ukraine’s Deputy Prime Minister - Pavlo RozenkoScreenshot from Ukraine’s Deputy Prime Minister, Pavlo Rozenko, of an infected system https://twitter.com/RozenkoPavlo/status/879677026256510976/photo/1

To cover its tracks, the reboot clears the event log, and deletes the USN change journal, which is a utility for monitoring any changes “to a file or directory in a volume.”

Lastline Labs TweetLastline analysis of the ransomware modifying the USN journal

Other Techniques Used

WHAT TO DO ABOUT IT

IOCs TO BLOCK

  • String: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
  • Email address: wowsmith123456@posteo.net (mail provider has blocked this account)

Where To Go For More Info

Lastline Labs published two blogs on ransomware, and Part 2 describes the original Petya ransomware family.

Patrick Bedwell

Patrick Bedwell

Patrick Bedwell has been creating and executing product marketing strategies for network security products for almost 20 years. He earned his BA from Cal Berkeley, and his MBA from Santa Clara University.
Patrick Bedwell