A Deep Dive into the NotPetya Ransomware Attack
What we know about the NotPetya ransomware attack that started in Ukraine
Overview of NotPetya
This is a new variant of the Petya ransomware family that targets Windows systems. The outbreak began Tuesday morning. It has been referred to by several names, including PetrWrap, GoldenEye, Petya.A, Petya.C, and PetyaCry
It has several similarities to the global WannaCry outbreak that occurred last month, with some significant differences, including:
- There is no ‘kill switch’ like that which was embedded in WannaCry that ended that attack relatively quickly
- It can spread without relying on the SMB vulnerability patched with MS17-010
- It reboots victims computers and encrypts the hard drive’s Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable
The Scope of the Threat
This attack is widespread and does not appear to be targeting any particular industry, region, or country. There have been many reports of Ukrainian organizations and companies being hit, including “power companies, airports, public transit, and the central bank” as well as a wide range of victims in Eastern Europe, Asia, and Europe, as well as the US. The attack also affected the radiation monitoring systems at Chernobyl.
Lastline Enterprise’s Deep Content Inspection & Classification of the Threat
Below is a screenshot of the analysis report generated from one of the malware samples we received.
Lastline’s Deep Content Inspection™ identifies every malicious behavior in the malware. With this visibility, you can see our identification of the ability to propagate the malware via remote execution and the ability to overwrite the MBR (Master Boot Record) in the list of detected activities.
Lastline’s analysis of NotPetya’s malicious behaviors
How it Spreads
There are several ways the ransomware appears to be spreading:
- It can spread locally using the EternalBlue exploit that targeted a vulnerability patched with MS17-010, or with PsExec, utility for executing processes on remote systems
- Talos (Cisco) reports a potential source is a software update systems for a Ukrainian tax accounting package called MeDoc (which would explain why so many organizations in Ukraine were victims)
- Kaspersky reports that It can spread via the remote code execution exploit EternalRomance targeting Windows XP to Windows 2008 systems. Also, the ransomware uses Mimikatz to extract admin credentials from the lsass.exe process, and pass them to PsExec tools or WMIC for distribution inside a network, spreading the malware to systems not vulnerable to EternalBlue or EternalRomance exploits
Specific Behavior Once Active
Once installed, NotPetya does several things:
- It runs Mischa, a component of an earlier variant of the Petya ransomware, and encrypts individual files
- It reboots the system and encrypts the MFT (master file table) and renders the Master Boot Record (MBR) inoperable. It also overwrites the MBR with a file that displays the ransom note, which renders the system unable to boot.
Screenshot from Ukraine’s Deputy Prime Minister, Pavlo Rozenko, of an infected system https://twitter.com/RozenkoPavlo/status/879677026256510976/photo/1
To cover its tracks, the reboot clears the event log, and deletes the USN change journal, which is a utility for monitoring any changes “to a file or directory in a volume.”
- Demands $300 in bitcoin. You can monitor the payments here: https://blockexplorer.com/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Other Techniques Used
WHAT TO DO ABOUT IT
- Patch MS17-010 (Remember when we said to patch after WannaCry? Well, we don’t mean to say ‘we told you so’ but….)
- Block PsExec and WIMC from running using AppLocker utility
- Check out this blog post on how to prevent your system from being infected
IOCs TO BLOCK
- String: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
- Email address: firstname.lastname@example.org (mail provider has blocked this account)
Where To Go For More Info
Lastline Labs published two blogs on ransomware, and Part 2 describes the original Petya ransomware family.