{"id":2082,"date":"2017-06-27T17:19:03","date_gmt":"2017-06-27T17:19:03","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=2082"},"modified":"2020-05-06T10:27:58","modified_gmt":"2020-05-06T17:27:58","slug":"notpetya-the-ransomware-that-spreads-like-a-worm","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/notpetya-the-ransomware-that-spreads-like-a-worm\/","title":{"rendered":"NotPetya \u2013 The Ransomware that Spreads like a Worm"},"content":{"rendered":"

(Title and content updated upon further analysis)<\/em><\/p>\n

Barely after the dust has settled on\u00a0WannaCry<\/a>, the ransomware that affected hundreds of thousands of computers in 150 countries in May, another ransomware attack,\u00a0Not<\/em><\/strong>Petya<\/em><\/strong>, started infecting organizations across Europe and into the Americas on June 27, 2017. Initially, this attack was thought to be a variant of Petya ransomware because the attackers crafted the malware to resemble Petya. Upon further analysis, it was discovered that the main distribution and payment schemes were not consistent with prior Petya campaigns. Where prior Petya campaign operated an organized payment and decryption key distribution system accessed via the Tor network, this attack relied upon a single email account for coordinating ransom payments and decryption keys. That address was identified and deactivated early leading investigators to conclude it was unlikely attackers intended for it to remain operational through the duration of the campaign.<\/p>\n

NotPetya was disseminated via the compromised software update service from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. The malware spread to more than 12,000 systems in Europe and the Americas. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as\u00a0ETERNALBLUE<\/strong>. The SMB exploit is the same method used by WannaCry ransomware, and Microsoft had already released a patch for the vulnerability.<\/p>\n

Once NotPetya infects a system, it setups encryption routines and attempts to spread over the network. What\u2019s different about NotPetya is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other difference between NotPetya and WannaCry is that while WannaCry used a killswitch domain, NotPetya doesn\u2019t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the Internet. Our open source intelligence analysis has led us to conclude that the campaign involved the following major actions:<\/p>\n

    \n
  1. Implanting a trojan into software essential to the intended target<\/li>\n
  2. Utilize a watering hole attack through a compromise of the software supply chain and distributing the trojan through the legitimate vendor\u2019s genuine software update service<\/li>\n
  3. Enhance the malware to harvest credential and use capabilities inherent in the operating system to move lateral and spread the malware.<\/li>\n<\/ol>\n

    The end result of ransomware is to lock up the files on infected machines and demand a ransom to retrieve the data, though the true goals of the NotPetya creators may have been disruption rather than monetary gain,\u00a0\u00a0 NotPetya\u2019s encryption process presents a fake chkdsk splash page, which encrypts the hard disk master boot record if a privileged user executes it. Then it schedules a task to restart the system once to prompt the ransom note. If it is unable to execute the payload as a privileged user, then it encrypts the file types annotated below and writes a README.TXT ransom note.<\/p>\n

    Best practices for staying protected against ransomware<\/strong><\/p>\n

    Ransomware has been constantly in the news recently. A total of $1 billion was paid out to ransomware criminals in 2016 alone. 2017 has seen a 6000% increase in ransomware infected emails compared to 2016. Organizations should follow certain best practices to stay protected against ransomware and other advanced malware.<\/p>\n

      \n
    1. Backup<\/strong>: Always backup essential data and test the restore procedures.<\/li>\n
    2. Timely Patches:<\/strong>\u00a0Prioritize and apply security updates and patches. Since a known vulnerability in the Microsoft Server Message Block (SMB) was used in this attack, installing updates in the\u00a0Microsoft March 2017 Security Bulletin<\/a>\u00a0will resolve the weakness. It is recommended that SMB is disabled until the proper patches can be applied to the system. (How to Disable SMB)<\/a><\/li>\n
    3. Network Hygiene<\/strong>: Segment networks to limit the propagation of malware.<\/li>\n
    4. User Training:<\/strong>\u00a0Train your employees to<\/li>\n<\/ol>\n