Latest posts by Jonathan Greenstein (see all)
Following May 2017’s WannaCry ransomware attack, a new attack by the ransomware cryptoworm NotPetya is rapidly infecting computer systems. NotPetya, named after a similar virus called Petya has resulted in organisations worldwide having their data encrypted. The creators of the cryptoworm have demanded the equivalent of around $300 to be paid in Bitcoin.
What is the NotPetya ransomware attack?
NotPetya was first reported in Ukraine. Their state power company and Kiev’s main airport were both affected but the cyber attack has now spread to the US, UK, France, Russia, Denmark and India. Infected computers display a message demanding a Bitcoin ransom. Those who pay are asked to send a confirmation of payment to an email address however the email address was shut down by the email provider. In a blog post, the email provider, Posteo said, “We do not tolerate any misuse of our platform”.
It has been reported that people have not been able to access their data even after paying the Bitcoin ransom.
Technology experts have said that the NotPetya virus appears to be similar to or an updated version of Petya (first reported in 2016) or Petrawrap. Both these ransomware cryptoworms locked computer files and forced users to pay specified sums of money to get access again. Some researchers are also referring to NotPetya as ‘GoldenEye’.
Which companies have been affected by NotPetya?
As it stands, the largest companies affected are: Legal firm DLA Piper, Danish shipping and transport giant AP Moller-Maersk, advertising firm WPP, French construction material company Saint-Gobain the food giant Mondelez, Russian steel and oil firm Evraz and Rosneft and the Heritage Valley Health System.
In an internal memo to staff, a WPP firm said that they were the targets of “a massive global malware attack, affecting all Windows servers, PCs and laptops”. It went on to warn employees to turn off and disconnect all machines using Windows.
Maersk tweeted saying, “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber-attack. We continue to assess the situation.”
One key difference between NotPetya and the recent WannaCry ransomware attack is that NotPetya is far better designed. The architects of this cryptoworm learnt from the design flaws in WannaCry and ensured they didn’t make the same mistakes.
The website, The Register, have a handy summary of the NotPetya outbreak. You can see the original source here or can read the extract below.
- The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Minikatz to extract network administrator credentials out of the machine’s running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them.
- It also uses a modified version of the NSA’s stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency’s stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
- Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
- One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
- With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation’s hard drive’s MBR so that only it starts up when the machine reboots, rather than Windows, allowing it to display the ransom note; it can also encrypt the filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people’s data. Needless to say, don’t pay the ransom – there’s no way to get the keys to restore your documents.
- Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You’d be surprised how many outfits are too loose with their admin controls.
- The precise affected versions of Windows isn’t yet known, but we’re told Windows 10’s Credentials Guard spots NotPetya’s password extraction from memory.
- Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn’t stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn’t attempt to spread externally across the internet like WannaCry did.
What was the WannaCry ransomware attack?
The WannaCry ransomware attack was a cyber attack that took place in May. The WannaCry ransomware cryptoworm spread worldwide, infecting computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. WannaCry affected over 230,000 computers across 150 countries.
What are your views?
What are your views on the ransomware attack NotPetya? Let us know in the comment box below.