NotPetya: The Ransomware That Spreads Like a Worm

Mohammad Jamal Tabbara, Senior Systems Engineer – UAE & Channel at Infoblox1

Guest written by Mohammad Tabbara, Senior Systems Engineer – UAE and Channel at Infoblox

Barely after the dust has settled on WannaCry, the ransomware that affected hundreds of thousands of computers in 150 countries in May, another ransomware attack, NotPetya, started infecting organizations across Europe and into the Americas on June 27, 2017. Initially, this attack was thought to be a variant of Petya ransomware because the attackers crafted the malware to resemble Petya. Upon further analysis, it was discovered that the main distribution and payment schemes were not consistent with prior Petya campaigns.

Where prior Petya campaign operated an organized payment and decryption key distribution system accessed via the Tor network, this attack relied upon a single email account for coordinating ransom payments and decryption keys. That address was identified and deactivated early leading investigators to conclude it was unlikely attackers intended for it to remain operational through the duration of the campaign.

NotPetya was disseminated via the compromised software update service from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. The malware spread to more than 12,000 systems in Europe and the Americas. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE. The SMB exploit is the same method used by WannaCry ransomware, and Microsoft had already released a patch for the vulnerability.

Once NotPetya infects a system, it setups encryption routines and attempts to spread over the network. What’s different about NotPetya is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other difference between NotPetya and WannaCry is that while WannaCry used a killswitch domain, NotPetya doesn’t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the Internet. Our open source intelligence analysis has led us to conclude that the campaign involved the following major actions:

  1. Implanting a trojan into software essential to the intended target
  2. Utilize a watering hole attack through a compromise of the software supply chain and distributing the trojan through the legitimate vendor’s genuine software update service
  3. Enhance the malware to harvest credential and use capabilities inherent in the operating system to move lateral and spread the malware.

The end result of ransomware is to lock up the files on infected machines and demand a ransom to retrieve the data, though the true goals of the NotPetya creators may have been disruption rather than monetary gain,   NotPetya’s encryption process presents a fake chkdsk splash page, which encrypts the hard disk master boot record if a privileged user executes it. Then it schedules a task to restart the system once to prompt the ransom note. If it is unable to execute the payload as a privileged user, then it encrypts the file types annotated below and writes a README.TXT ransom note.

Best practices for staying protected against ransomware
Ransomware has been constantly in the news recently. A total of $1 billion was paid out to ransomware criminals in 2016 alone. 2017 has seen a 6000% increase in ransomware infected emails compared to 2016.

Organizations should follow certain best practices to stay protected against ransomware and other advanced malware.

  1. Backup: Always backup essential data and test the restore procedures.
  2. Timely Patches: Prioritize and apply security updates and patches. Since a known vulnerability in the Microsoft Server Message Block (SMB) was used in this attack, installing updates in the Microsoft March 2017 Security Bulletin will resolve the weakness. It is recommended that SMB is disabled until the proper patches can be applied to the system. (How to Disable SMB)
  3. Network Hygiene: Segment networks to limit the propagation of malware.
  4. User Training: Train your employees to:
    Not open email attachments from unknown senders
    Disable Microsoft Office document macros by default
    Not allow documents to open additional files or execute macros without external confirmation (e.g. phone, in person) that the sender is valid. Further, confirm that they intentionally sent the document that requires the use of those features for a specific reason.
  5. High quality curated threat intelligence feeds: Using high quality curated threat intelligence that is up-to-date can protect users from unwanted DNS communications and maximize DNS protection. In addition, using RPZ based security capability integrated with DNS to detect and block communications to bad sites and command and control servers can help stop the spread of advanced malware and ransomware.