There's been no lack of twists and turns in the still-developing story of this week's global malware outbreak. In the rush to provide new information, share updates, and land scoops, there's also been a lot of conflicting reports and misinformation flying around.
What actually happened? What kind of attack was this, really? And, enough already, what should we be calling the damn thing?
To clear things up, here are answers to the most pressing questions:
Life’s too short. Let’s just agree it’s a new adaptation of Petya and move on.
What to call this malware has been a major point of contention almost from the start of the outbreak, and to understand why we need to cover a little background.
One of the first reports indicating we were seeing another major infection was a tweet from Costin Raiu, Director of Kaspersky's Global Research and Analysis Team. In it, he identified the malware being distributed as a variant of Petrwrap/Petya ransomware.
Petrwrap/Petya ransomware variant with contact email@example.com spreading worldwide, large number of countries affected.— Costin Raiu (@craiu) June 27, 2017
Here's where we need to take a super quick look back at the evolution of Petya:
When it was first identified, Petya quickly gained attention thanks to its unique encryption routine. Instead of encrypting individual files it encrypted the Master File Table (MFT), essentially bricking the victim's hard drive. It did so by adding malicious instructions to the Master Boot Record (MBR) and then causing Windows to reboot. When victim machines came back ona fake CHKDSK screen distracted victims while the encryption process was underway. Once encryption was complete, the ransom screen appeared.
At first glance, this new malware appeared to take a very similar approach — even using the same fake CHKDSK screen:
Petya and "NotPetya" used the same fake CHKDSK screens. Source for top image: Bleeping Computer
So the new malware was clearly Petya, right? Well, unfortunately, it's not that simple.
Petya's first run came to a adrupt end in April 2016 when researchers were able to defeat its encryption. A month later, it was back, packaged together with Mischa ransomware. The new combo gave the attacks more flexibility. If Petya was able to gain admin privileges, it would modify the MBR and encrypt the MFT. If not, the installer would fire up Mischa, instead, which would then encrypt the victim's files in a more traditional way.
The same group behind Petya released a new version of the ransomware rebranded as "GoldenEye" at the end of 2016. Aside from cosmetic differences, the major difference was the order of the two encryption processes were swtiched — the ransomware now encrypted the victim's files first, then attempted to modify the MBR.
Earlier this year, researchers at Kaspersky spotted what appeared to be the work of a "rogue actor" who was essentially able to piggyback off Petya's core functionality while making slight changes that ensured payments would instead go to them.
Dubbed "PetrWrap", this ransomware also took a notably different approach to distribution. Instead of infecting victims via spam emails (as Petya had primarily done), the attackers behind PetrWrap used it to target vulnerable servers with unprotected RDP access. They also incorporated credential-stealing tools like Mimikatz into their attacks, enabling them to then abuse the Windows command utility PsExec to move laterally and spread the ransomware throughout the network.
These are some of the same tactics that would help our latest version of Petya to spread a month later...
Cue Costin Raiu's tweet and a series of reports indicating a new global ransomware outbreak was rapidly unfolding.
At this point, it was fairly clear the malware at the center of the maelstrom was at the very least based on Petya, and utilizing delivery and infection tactics that the PetrWrap attackers had used.
But then Kaspersky analysts muddied the waters by claiming the malware was in fact a new ransomware variant they were calling NotPetya.
Kaspersky Lab analysts say new attacks are not a variant of Petya ransomware as publicly reported, but a new ransomware they call NotPetya pic.twitter.com/Uf8phx9Pkf— Patrick O'Neill (@HowellONeill) June 27, 2017
Shortly afterwards, #NotPetya was trending alongside #Petya on Twitter and the whole thing took on a "Team Edward or Team Jacob" vibe.
Typical identifying calling cards for this ransomware are missing
Malware naming disputes are extremely common, but when it comes to ransomware, things are typically much more clearcut — researchers simply look at what the extensions for encrypted files get changed to (ex: .locky, .cerber, etc.) or what the ransom note says, and go with that.
The problem here is this variant of Petya doesn't make any changes to file extensions, and whereas the original Petya and GoldenEye both identified themselves in their ransom notes, that's not the case this time around.
This new Petya variant doesn't identify itself in its ransom note. Source for top image: Bleeping Computer
The PetrWrap attackers had also removed identification from their ransom screens, purportedly because they didn't want to tip people off they were hijacking Petya's code.
With no clear name provided by the attackers, the vacuum is being filled by researchers who, in addition to Petya / NotPetya, have submitted the following options for consideration:
So which name is right? Ultimately, this will likely be decided the same way new words like "hangry" get added to the dictionary — regardless of technical justification, whichever term gets used by the most people is probably going to stick.
Some researchers are arguing that since the malware’s design actually makes it impossible to recover infected systems, its purpose wasn’t to make criminals money, but to inflict damage — possibly on specific political targets (Ukraine). That makes this malware less of a ransomware and more of a wiper.
Two separate reports from researchers at Comaeio Technologies and Kaspersky Lab have independently arrived at the same conclusion — the malware involved in this outbreak acts like ransomware, but it wasn’t actually designed to allow victims to regain access to their encrypted systems and files at any point.
Evidence A: No valid infection ID
In order for ransomware like Petya to issue a decryption key for paying victims, it needs to obtain the personal installation ID it created during each infection. This ID is supposed to contain unique identifying information crucial for issuing the right decryption key.
While analyzing the malware, however, researchers at Kaspersky discovered that the infection IDs it creates are actually just strings of randomized, meaningless digits.
The installation ID created by the new Petya variant can't actually be used to gain the decryption key. Source: Kaspersky
That makes recovering the decryption key and restoring encrypted files or drives impossible, even if victims did decide to pay.
Evidence B: The master file table encryption isn't reversible
Comaeio founder Matt Suiche discovered a separate flaw in the malware's encryption that lead him to the same conclusion. Whereas the original Peyta modified the disk in such a way that it could actually revert its changes, the new variant appears to do permanent and irreversible damage by overwriting portions of the disk without properly reading or saving them.
Comparing the new variant of Petya with the wiper code (left) with the original Petya code (right). Source: Matt Suiche
Both Suiche and the Kaspersky argue the lack of functionality does not appear to be accidental. The implication being that the malware wasn't designed for extortion, but for destruction and disruption.
Therefore, the suspicion now is that this wasn't truly a ransomware outbreak conducted by your average financially-motivated cyber criminals, but rather a more targeted attack using that narrative as cover.
As this article points out, it's a tactic that's been used before with the Shamoon and KillDisk malware families.
One of the specific ways it’s spreading is the same, but pretty much everything else is different.
Any major attack this close to the WannaCry outbreak was bound to receive comparisons, but the fact that this attack utilized the EternalBlue exploit made that a certainty.
What is EternalBlue?
EternalBlue is one of the purported NSA exploits leaked in April by the Shadow Brokers hacking group. It targets a vulnerability in Server Message Block (SMB), a network file sharing protocol.
What makes EternalBlue so dangerous is that:
Microsoft had actually released an update (MS17-010) that addresses the SMB vulnerability and renders EternalBlue ineffective in March, a month prior to the Shadow Brokers announcement. But as the WannaCry outbreak showed, large numbers of organizations were obviously unnable or unwilling to patch in time to avoid compromise.
To use the exploit, all the WannaCry attackers had to do was scan the Internet for systems with port 445 open, and then fire away. Then, as part of the infection process, the ransomware would scan the local network and wider Internet for additional victims with SMB exposed.
Unlike WannaCry, the Petya outbreak only uses EternalBlue to spread laterally within an infected network. And if that isn't successful, it has additional tricks up its sleeves (more on those below).
As explained above, another major difference between this outbreak and the WannaCry one is that the Petya ransomware variant also operates much differently than WannaCry (and, arguably, isn't even truly ransomware).
No. But there is a vaccine of sorts. All you have to do is create a file called perfc.dat in the C:\Windows folder and make it read only. Note: This must be done on every computer you want to protect. Lawrence Abrams at Bleeping Computer has created a batch file that performs the task for you.
When word of a new outbreak spread, researchers raced to find a "kill switch" like the one that shut down the WannaCry outbreak. While no similar mistake was found, one researcher did discover that as part of its infection process, this new Petya variant checks for the existance of a local file named perfc.dat.
Perfc.dat has been identified by researchers as the file responsible for spreading the malware and kicking off the infection. If a file by that name is found already existing on a machine, the infection process terminates.
It's an incredibly simple solution, though applying it across an organization may not be. And it obviously doesn't do anything to address the underlying issues or vulnerabilities leaving would-be victims open to attacks.
The malware uses several techniques for moving laterally within an organization, including credential theft, executing the malware on remote machines using legitimate command line tools, and exploiting SMB vulnerabilities in unpatched machines.
Once on an infected machine, there are three primary ways the malware attempts to spread laterally through the victim's network:
According to researchers at Microsoft, one of the first things the malware does after it lands on a machine is drop a credential harvesting tool similar to Mimikatz ("the Swiss Army knife of Windows credentials").
One of the most common targets for credential stealing tools like this is the Local Security Authority Subsystem Service (LSASS.exe), which stores credentials in memory so users in active Windows sessions don’t have to keep re-entering them to access various network resources (you can actually test your current security against a simulation of this behavior with our free tool, stackhackr).
Next, the malware scans the local network to establish valid connections and attempts to execute itself remotely on new machines using the stolen credentials and either PsExec or WMIC. You can watch a video of the PsExec remote execution in action in our blog post on Sorebrect ransomware's fileless infection technique.
The malware can also attempt to use EternalBlue or EternalRomance to gain remote execution on any machines on the network that are vulnerable (read: unpatched) and have ports 445 and/or 139 open.
Evidence suggests at least some of the initial infections can be traced back to an update for accounting software developed by Ukrainian company M.E.Doc. It appears attackers were able to compromise the company's software supply chain and hide the malware in the update, ensuring that when it rolled out to customers the malware would be installed along with it.
Early speculation by various authorities and researchers — including the cybercrime unit of the Ukrainian police — tracing the outbreak back to M.E.Doc was at least partially confirmed by Microsoft late on Tuesday. In a blog post, Microsoft researchers reported observing telemetry showing the accounting software's updater process executing the command-line responsible for launching the malware:
C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30
The updater process for MeDoc was compromised to launch Petya. Source: Microsoft
M.E.Doc denied its software had any role in the attack, though an advisory the company issued early on Tuesday (since deleted) appeared to suggest otherwise.
Our servers are carrying out a virus attack.
We apologize for the temporary inconvenience!
This also isn't the first time a software update from M.E.Doc has been hijacked to spread malware. In May, an update from the company was connected to the spread of XData ransomware, which also infected businesses across Ukraine.
The connection to M.E.Doc is also bolstered by the fact that the majority of infections were suffered by organizations based in Ukraine, where M.E.Doc's accounting software is one of only two approved options businesses can use to pay taxes.
Petya infections were heavily consolodated in Ukraine. Source: Kaspersky
Global shipping giant Maersk, one of the most prominent victims of the outbreak, was also confirmed to be a M.E.Doc customer.
Not necessarily. Attacking machines that haven't been updated with MS17-010 is one way the malware is spreading, but as covered above, there are others. Yes, to protect your organization you need to patch known vulnerabilities, but you also need to have the right tools, architecture, and practices in place to prevent the attack's other tricks and techniques.
Because this attack leveraged EternalBlue (the same exploit that allowed WannaCry to spread), it's easy for knee-jerk reactions of "Companies just need to patch already" to drown out other important takeaways.
As Microsoft security engineer Jessica Payne puts it:
Network segmentation, least privilege, credential hygiene, and targeted monitoring need to become the new normal for business continuity.— Jessica Payne (@jepayneMSFT) June 29, 2017
Attacks that "live off the land" require new forms of protection
One of the key reasons why this outbreak was so dangerous is that it abused otherwise legitimate tools and commonplace processes.
Victims were initially infected by installing a software update. The attack spread using PsExec and WMIC — two tools commonly associated with system administration that are already present on practically any Windows machine.
These were concious choices on the attackers' part. To avoid raising any red flags, they designed the attack to leverage tools that were already present and processes that were mundane or expected.
As security researcher Lesley Carhart explains in a recent blog post, "The use of [WMI and PsExec to move laterally across a network] is not likely to fire any built-in attack signature in traditional, signature-based security tools. There’s nothing to sandbox nor an unusual unique file hash to scan for. On the surface, this activity will look like administration, and might only be detected by more detailed behavioral analysis."
Protecting your organization against these tactics requires implementing basic security fundamentals such as network segmentation and limiting user privileges, and it also requires utilizing security solutions that are designed to block malicious system behaviors, not just signatures.
Think your security can block the credential theft techniques used by Petya? Find out for sure by running a free simulation.
Find out how Barkly protects companies against exploits and fileless "living off the land" techniques that are becoming increasingly popular. See how Barkly's protection works.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.