<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Threats 101
Jonathan Crowe
Jun 2017

Petya, NotPetya? A Definitive FAQ

There's been no lack of twists and turns in the still-developing story of this week's global malware outbreak. In the rush to provide new information, share updates, and land scoops, there's also been a lot of conflicting reports and misinformation flying around.

What actually happened? What kind of attack was this, really? And, enough already, what should we be calling the damn thing?

To clear things up, here are answers to the most pressing questions: 

So, what’s with the name? Is it Petya or "NotPetya"?

Short answer:

Life’s too short. Let’s just agree it’s a new adaptation of Petya and move on.

(skip to next question)

More details:

What to call this malware has been a major point of contention almost from the start of the outbreak, and to understand why we need to cover a little background.

One of the first reports indicating we were seeing another major infection was a tweet from Costin Raiu, Director of Kaspersky's Global Research and Analysis Team. In it, he identified the malware being distributed as a variant of Petrwrap/Petya ransomware. 

Here's where we need to take a super quick look back at the evolution of Petya:

  • March 2016: In the beginning, there was Petya

When it was first identified, Petya quickly gained attention thanks to its unique encryption routine. Instead of encrypting individual files it encrypted the Master File Table (MFT), essentially bricking the victim's hard drive. It did so by adding malicious instructions to the Master Boot Record (MBR) and then causing Windows to reboot. When victim machines came back ona fake CHKDSK screen distracted victims while the encryption process was underway. Once encryption was complete, the ransom screen appeared.

At first glance, this new malware appeared to take a very similar approach —  even using the same fake CHKDSK screen:

petya-notpetya-chkdsk-screens.png

Petya and "NotPetya" used the same fake CHKDSK screens. Source for top image: Bleeping Computer

So the new malware was clearly Petya, right? Well, unfortunately, it's not that simple.

  • May 2016: Petya meets Mischa

Petya's first run came to a adrupt end in April 2016 when researchers were able to defeat its encryption. A month later, it was back, packaged together with Mischa ransomware. The new combo gave the attacks more flexibility. If Petya was able to gain admin privileges, it would modify the MBR and encrypt the MFT. If not, the installer would fire up Mischa, instead, which would then encrypt the victim's files in a more traditional way. 

  • December 2016: Petya returns as "GoldenEye"

The same group behind Petya released a new version of the ransomware rebranded as "GoldenEye" at the end of 2016. Aside from cosmetic differences, the major difference was the order of the two encryption processes were swtiched — the ransomware now encrypted the victim's files first, then attempted to modify the MBR. 

  • March 2017: A new "unauthorized" version of Petya appears 

Earlier this year, researchers at Kaspersky spotted what appeared to be the work of a "rogue actor" who was essentially able to piggyback off Petya's core functionality while making slight changes that ensured payments would instead go to them.

Dubbed "PetrWrap", this ransomware also took a notably different approach to distribution. Instead of infecting victims via spam emails (as Petya had primarily done), the attackers behind PetrWrap used it to target vulnerable servers with unprotected RDP access. They also incorporated credential-stealing tools like Mimikatz into their attacks, enabling them to then abuse the Windows command utility PsExec to move laterally and spread the ransomware throughout the network.

These are some of the same tactics that would help our latest version of Petya to spread a month later...  

  • June 2017: New Petya / NotPetya outbreak causes one hell of a stir

Cue Costin Raiu's tweet and a series of reports indicating a new global ransomware outbreak was rapidly unfolding

At this point, it was fairly clear the malware at the center of the maelstrom was at the very least based on Petya, and utilizing delivery and infection tactics that the PetrWrap attackers had used. 

But then Kaspersky analysts muddied the waters by claiming the malware was in fact a new ransomware variant they were calling NotPetya.

Shortly afterwards, #NotPetya was trending alongside #Petya on Twitter and the whole thing took on a "Team Edward or Team Jacob" vibe.  

Typical identifying calling cards for this ransomware are missing

Malware naming disputes are extremely common, but when it comes to ransomware, things are typically much more clearcut — researchers simply look at what the extensions for encrypted files get changed to (ex: .locky, .cerber, etc.) or what the ransom note says, and go with that. 

The problem here is this variant of Petya doesn't make any changes to file extensions, and whereas the original Petya and GoldenEye both identified themselves in their ransom notes, that's not the case this time around. 

petya-notpetya-ransom-screens.png

This new Petya variant doesn't identify itself in its ransom note. Source for top image: Bleeping Computer

The PetrWrap attackers had also removed identification from their ransom screens, purportedly because they didn't want to tip people off they were hijacking Petya's code. 

With no clear name provided by the attackers, the vacuum is being filled by researchers who, in addition to Petya / NotPetya, have submitted the following options for consideration:

  • EternalPetya (from malware analyst hasherezade, because of the exploits it uses)
  • Nyetya (from the researchers at Talos)
  • ExPetr (yet another option from Kaspersky)

So which name is right? Ultimately, this will likely be decided the same way new words like "hangry" get added to the dictionary — regardless of technical justification, whichever term gets used by the most people is probably going to stick.  

But now I’m hearing it wasn’t actually ransomware at all? What’s that about?

Short answer:

Some researchers are arguing that since the malware’s design actually makes it impossible to recover infected systems, its purpose wasn’t to make criminals money, but to inflict damage — possibly on specific political targets (Ukraine). That makes this malware less of a ransomware and more of a wiper. 

(skip to next question)

More details:

Two separate reports from researchers at Comaeio Technologies and Kaspersky Lab have independently arrived at the same conclusion — the malware involved in this outbreak acts like ransomware, but it wasn’t actually designed to allow victims to regain access to their encrypted systems and files at any point.

Evidence A: No valid infection ID

In order for ransomware like Petya to issue a decryption key for paying victims, it needs to obtain the personal installation ID it created during each infection. This ID is supposed to contain unique identifying information crucial for issuing the right decryption key.

While analyzing the malware, however, researchers at Kaspersky discovered that the infection IDs it creates are actually just strings of randomized, meaningless digits.

expetya_wiper_01.png

The installation ID created by the new Petya variant can't actually be used to gain the decryption key. Source: Kaspersky

That makes recovering the decryption key and restoring encrypted files or drives impossible, even if victims did decide to pay.

Evidence B: The master file table encryption isn't reversible

Comaeio founder Matt Suiche discovered a separate flaw in the malware's encryption that lead him to the same conclusion. Whereas the original Peyta modified the disk in such a way that it could actually revert its changes, the new variant appears to do permanent and irreversible damage by overwriting portions of the disk without properly reading or saving them.

petya-wiper-code.png

Comparing the new variant of Petya with the wiper code (left) with the original Petya code (right). Source: Matt Suiche

Both Suiche and the Kaspersky argue the lack of functionality does not appear to be accidental. The implication being that the malware wasn't designed for extortion, but for destruction and disruption. 

Therefore, the suspicion now is that this wasn't truly a ransomware outbreak conducted by your average financially-motivated cyber criminals, but rather a more targeted attack using that narrative as cover.

As this article points out, it's a tactic that's been used before with the Shamoon and KillDisk malware families. 

How is this different from the WannaCry attacks?

Short answer:

One of the specific ways it’s spreading is the same, but pretty much everything else is different.

(skip to next question)

More details:

Any major attack this close to the WannaCry outbreak was bound to receive comparisons, but the fact that this attack utilized the EternalBlue exploit made that a certainty. 

What is EternalBlue?

EternalBlue is one of the purported NSA exploits leaked in April by the Shadow Brokers hacking group. It targets a vulnerability in Server Message Block (SMB), a network file sharing protocol.

What makes EternalBlue so dangerous is that:

  1. Successful deployment provides attackers with the remote execution they need to launch ransomware, credential stealers, or any other malware they want.
  2. There are a ton of devices with port 445 (the port associated with SMB) either knowingly or inadvertently open to the Internet right now — over 1 million if you're keeping score at home.
  3. The Shadow Brokers leak provided everything even novice attackers need to start utilizing EternalBlue, including an exploit framework called FuzzBunch that makes deploying it extremely simple. 

Microsoft had actually released an update (MS17-010) that addresses the SMB vulnerability and renders EternalBlue ineffective in March, a month prior to the Shadow Brokers announcement. But as the WannaCry outbreak showed, large numbers of organizations were obviously unnable or unwilling to patch in time to avoid compromise. 

To use the exploit, all the WannaCry attackers had to do was scan the Internet for systems with port 445 open, and then fire away. Then, as part of the infection process, the ransomware would scan the local network and wider Internet for additional victims with SMB exposed. 

Unlike WannaCry, the Petya outbreak only uses EternalBlue to spread laterally within an infected network. And if that isn't successful, it has additional tricks up its sleeves (more on those below).

As explained above, another major difference between this outbreak and the WannaCry one is that the Petya ransomware variant also operates much differently than WannaCry (and, arguably, isn't even truly ransomware).

Is there a kill switch?

Short answer:

No. But there is a vaccine of sorts. All you have to do is create a file called perfc.dat in the C:\Windows folder and make it read only. Note: This must be done on every computer you want to protect. Lawrence Abrams at Bleeping Computer has created a batch file that performs the task for you

(skip to next question)

More details:

When word of a new outbreak spread, researchers raced to find a "kill switch" like the one that shut down the WannaCry outbreak. While no similar mistake was found, one researcher did discover that as part of its infection process, this new Petya variant checks for the existance of a local file named perfc.dat.  

Perfc.dat has been identified by researchers as the file responsible for spreading the malware and kicking off the infection. If a file by that name is found already existing on a machine, the infection process terminates.

It's an incredibly simple solution, though applying it across an organization may not be. And it obviously doesn't do anything to address the underlying issues or vulnerabilities leaving would-be victims open to attacks.

How does it spread?

Short answer:

The malware uses several techniques for moving laterally within an organization, including credential theft, executing the malware on remote machines using legitimate command line tools, and exploiting SMB vulnerabilities in unpatched machines.

(skip to next question)

More details:

Once on an infected machine, there are three primary ways the malware attempts to spread laterally through the victim's network:  

    1. Stealing credentials and using them to abuse legitimate command line tools PsExec and WMIC (Windows Management Instrumentation Command-line) in order to execute the malware on remote machines.
    2. Using EternalBlue, the same exploit WannaCry used that targets SMB vulnerability CVE-2017-0144 (which Microsoft issued patches for in March).
    3. Using EternalRomance, another remote execution exploit included in the Shadow Brokers leak that targets Windows XP to 2008 systems over TCP port 445 (also patched by Microsoft).

According to researchers at Microsoft, one of the first things the malware does after it lands on a machine is drop a credential harvesting tool similar to Mimikatz ("the Swiss Army knife of Windows credentials").

One of the most common targets for credential stealing tools like this is the Local Security Authority Subsystem Service (LSASS.exe), which stores credentials in memory so users in active Windows sessions don’t have to keep re-entering them to access various network resources (you can actually test your current security against a simulation of this behavior with our free tool, stackhackr).

Next, the malware scans the local network to establish valid connections and attempts to execute itself remotely on new machines using the stolen credentials and either PsExec or WMIC. You can watch a video of the PsExec remote execution in action in our blog post on Sorebrect ransomware's fileless infection technique.

The malware can also attempt to use EternalBlue or EternalRomance to gain remote execution on any machines on the network that are vulnerable (read: unpatched) and have ports 445 and/or 139 open. 

How did the outbreak start?

Short answer:

Evidence suggests at least some of the initial infections can be traced back to an update for accounting software developed by Ukrainian company M.E.Doc. It appears attackers were able to compromise the company's software supply chain and hide the malware in the update, ensuring that when it rolled out to customers the malware would be installed along with it. 

(skip to next question)

More details:

Early speculation by various authorities and researchers — including the cybercrime unit of the Ukrainian police — tracing the outbreak back to M.E.Doc was at least partially confirmed by Microsoft late on Tuesday. In a blog post, Microsoft researchers reported observing telemetry showing the accounting software's updater process executing the command-line responsible for launching the malware: 

C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30

petya-medoc-update.png

The updater process for MeDoc was compromised to launch Petya. Source: Microsoft

M.E.Doc denied its software had any role in the attack, though an advisory the company issued early on Tuesday (since deleted) appeared to suggest otherwise. 

MEDoc-message.png

Translation: 

Attention!
Our servers are carrying out a virus attack.
We apologize for the temporary inconvenience!

This also isn't the first time a software update from M.E.Doc has been hijacked to spread malware. In May, an update from the company was connected to the spread of XData ransomware, which also infected businesses across Ukraine. 

The connection to M.E.Doc is also bolstered by the fact that the majority of infections were suffered by organizations based in Ukraine, where M.E.Doc's accounting software is one of only two approved options businesses can use to pay taxes

schroedinger_petya_02.png

Petya infections were heavily consolodated in Ukraine. Source: Kaspersky

Global shipping giant Maersk, one of the most prominent victims of the outbreak, was also confirmed to be a M.E.Doc customer

If we’re patched are we safe?

Short answer:

Not necessarily. Attacking machines that haven't been updated with MS17-010 is one way the malware is spreading, but as covered above, there are others. Yes, to protect your organization you need to patch known vulnerabilities, but you also need to have the right tools, architecture, and practices in place to prevent the attack's other tricks and techniques.  

(skip to next question)

More details:

Because this attack leveraged EternalBlue (the same exploit that allowed WannaCry to spread), it's easy for knee-jerk reactions of "Companies just need to patch already" to drown out other important takeaways. 

As Microsoft security engineer Jessica Payne puts it: 

Attacks that "live off the land" require new forms of protection

One of the key reasons why this outbreak was so dangerous is that it abused otherwise legitimate tools and commonplace processes.

Victims were initially infected by installing a software update. The attack spread using PsExec and WMIC — two tools commonly associated with system administration that are already present on practically any Windows machine. 

These were concious choices on the attackers' part. To avoid raising any red flags, they designed the attack to leverage tools that were already present and processes that were mundane or expected. 

"A good hacker avoids the use of malware and code exploits whenever possible.... There’s no sense in using malicious code when simpler and quieter means are available."

— Lesley Carhart

As security researcher Lesley Carhart explains in a recent blog post, "The use of [WMI and PsExec to move laterally across a network] is not likely to fire any built-in attack signature in traditional, signature-based security tools. There’s nothing to sandbox nor an unusual unique file hash to scan for. On the surface, this activity will look like administration, and might only be detected by more detailed behavioral analysis."

Protecting your organization against these tactics requires implementing basic security fundamentals such as network segmentation and limiting user privileges, and it also requires utilizing security solutions that are designed to block malicious system behaviors, not just signatures.  

How can I find out if we're protected from the next attack?

Short answer:

Think your security can block the credential theft techniques used by Petya? Find out for sure by running a free simulation. 

More details:

Find out how Barkly protects companies against exploits and fileless "living off the land" techniques that are becoming increasingly popular. See how Barkly's protection works.

Jonathan Crowe

Jonathan Crowe

Jonathan writes about cybersecurity from a practical point of view. He has a strict whitelisting policy for filtering out jargon and only sharing tips and tools that actually work.

blocks.svg

Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

Find out how

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.