On June 27, 2017, a digital attack campaign struck banks, airports and power companies in Ukraine, Russia and parts of Europe. Security experts who analyzed the attack determined its behavior was consistent with a form of ransomware called Petya. They also observed the campaign was using a familiar exploit to spread to vulnerable machines. Let's take a deeper dive into how this ransomworm campaign evolved. To help us in our effort, below is a timeline of how the attack unfolded.
05:00 - 06:00 EDT– June 27, 2017
The first signs of a digital attack campaign emerge on Twitter. Early in the morning, Dragos founder and CEO Robert M. Lee tweets out reports indicating that Kyivenergo, an electric power supplier to Kiev, has suffered a hacking attack that's affected Ukrenergo, a Ukrainian power distributor which likely suffered an infection of Industroyer in December 2016. https://twitter.com/RobertMLee/status/879682970914885634 Around that same time, Danish power distributor confirms its "systems are down across multiple sites and business units." https://twitter.com/Maersk/status/879675963927351296 The company follows up with a statement to its website indicating it's been a victim of a "cyber attack." Other affected organizations then begin coming forward. Among them are Ukraine's government, France’s Saint-Gobain, the offices of multinationals in Spain and the British advertising group WPP.
08:00 EDT – June 27, 2017
Threat intelligence provider Symantec Security Response confirms that Petya ransomware is responsible for the digital attacks. In a tweet, it reveals the threat is using EternalBlue. https://twitter.com/threatintel/status/879716609203613698 Developed by the U.S. National Security Agency (NSA), EternalBlue is an exploit that abuses a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. A hacker group known as the Shadow Brokers published this exploit along with other Windows-based exploits developed by the NSA on the web in April 2017. Attackers capitalized on this exposure by incorporating the exploit into a new variant of WannaCry ransomware. Equipped with this attack code and worm-like capabilities, WannaCry spread across 150 countries and affected more than 300,000 organizations beginning on May 12, 2017.
10:00 EDT – June 27, 2017
Kaspersky Lab tweets out a statement clarifying that the ransomworm is not a variant of Petya but is actually a new ransomware they named "NotPetya." They also reveal the threat has affected approximately 2,000 organizations at the time of their posting. https://twitter.com/kaspersky/status/879749175570817024 As explained by information security researcher "the grugq," researchers' struggle to correctly identify the ransomware stems from some code shared between Petya and the new threat:
"The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'"
Others in the security community feel the purpose behind the ransomware is inconsequential to its code structure, sequencing which is too similar to Petya's to overlook: https://twitter.com/hasherezade/status/880065316994170880 Later on, researchers at Kaspersky Lab publish a larger analysis of NotPetya. They reveal that the ransomware does use EternalBlue, as well as EternalRomance, another exploit targeting some Windows machines as infection vectors. Kaspersky also discloses NotPetya's ability to use Mimikatz to extract administrative credentials from an infected system using the lsass.exe process. The threat can then use other tools, such as Windows Management Instrumentation (WMI) or PsExec, to infect other computers on a network.
12:00 EDT – June 27, 2017
Ukraine's police confirm MeDoc, an accounting software package that many Ukrainians use to pay their taxes, as a NotPetya infection vector. https://twitter.com/CyberpoliceUA/status/879772963658235904 MeDoc responds by denying any responsibility for the attacks in a Facebook post, noting it pushed out its last update starting on June 22 – five days before the attack occurred. But some in the security community say they have the logs to prove that MeDoc was the source of the ransomworm campaign. Among them, Malwarebytes releases a blog post later that afternoon reiterating security researchers' belief that an update released by MeDoc at 10:30 GMT on June 27, 2017, allegedly installed the malware on the "victim zero" system.
13:00 EDT – June 27, 2017
Security researchers begin to share ways by which affected users and businesses can counteract the ransomware. Some note NotPetya runs on boot. As a result, victims can prevent the ransomware from encrypting their files by quickly powering down before Window boots or if they see a "Check Disk" message. Others like Dave Kennedy, founder of TrustedSec and Binary Defense, reveal administrators can stop NotPetya from writing/executing by creating a file "C:\Windows\perfc.dat". https://twitter.com/HackingDave/status/879788087001436160 The ransomware looks for this file on an infected computer. If it discovers it, it exits its encryption routine. Administrators must install this file on every computer to forestall encryption, however. As a result, the file proves to be more of a vaccine than a killswitch.
05:00 EDT – June 28, 2017
Some in the security community tweet out that victims who have paid NotPetya are not getting their files back. https://twitter.com/mikko/status/880036070267772929 Posteo, a German email provider, appears to have produced this turn of events on June 27, 2017, when they discovered someone abusing their services. As it writes in a blog post:
"Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases."
With the NotPetya attackers' email blocked, victims have no way of recovering their files if they didn't have data backups already in place.
Conclusion
To protect against ransomware campaigns such as NotPetya, it's important that users and businesses alike update their operating system software regularly, don't click on suspicious attachments, and back up their critical data on a regular basis. For more ransomware prevention tips, click here.
