A sudden outbreak of Petya-like ransomware dubbed as NotPetya/SortaPetya/Petnahas has triggered a wave of panic across Europe and is spreading to the United States. UK, Ukraine, Italy, the Netherlands, Spain, and Denmark are probably the most impacted ones. The Petya or NotPetya ransomware Trojan is a Ransomware-as-a-Service (RaaS) malware family, and was first identified in 2016.
The attackers have demanded $300 in Bitcoin in exchange for the decryption key, and have left the email ID: wowsmith123456[@]posteo.net as part of the contact details.
Victims So Far
Anton Gerashchenko, an aide to the Ukrainian Interior Minister, has stated that this infection is “the biggest in Ukraine’s history.” The attack has spread across industries. Kievenergo, a utility company, turned off all of their computers after Petya breached their network. Another power company, Ukrenergro, has also reported that they have been affected by the malware. Ukraine’s Central Bank has issued a warning on their website regarding how several banks within the country have also been targeted by threat actors. The Ukrainian deputy prime minister, Pavlo Rozenko, tweeted an image of a black computer screen stating that the entirety of the government’s computer systems has been shut down because of the Trojan.
The malware distribution has also reached entities in Denmark and France. The Danish conglomerate company, Maersk, has stated that its customers are unable to use online booking systems and that their internal systems are offline.
Saint-Gobain, a French manufacturing company, has also released a statement discussing that they too have been affected by Petya.
New Petya Variant Mimicking WannaCry
Based on a few captured NotPetya samples, we’ve concluded that the author of this Petya variant has taken inspiration from the WannaCry epidemic that we witnessed in the month of May. However, unlike WannaCry, Petya encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that limits the access of its victims only to the ransom note and prevents the infected computers from booting. Due to this, Petya can be considered more dangerous and intrusive compared to WannaCry or any other strains of ransomware.
NotPetya mimics WannaCry heavily in terms of the added SMB exploit functionality, which allows Petya to spread across the local area network. Security researchers have confirmed that a modified version of ETERNALBLUE has been used similar to WannaCry and is found targeting vulnerabilities addressed in MS17-010.
Other than ETERNALBLUE, a remote code exploit known as ETERNALROMANCE has also been found in the current strains of NotPetya.
How Petya Infects?
Infection Routes
It has appeared that NotPetya took two distinct routes to gain access to systems:
Infection Phases
The NotPetya ransomware waits for 10-60 minutes post infection to initiate a system reboot. Encryption of MFT table starts once the system reboots. The existing MBR will get overwritten with a customized bootloader during this phase, which presents a ransom note to its victims.
Infection Spreads
After a successful encryption, the worm module activates and starts enumerating all available network adapters. Next, it ascertains all known server names via NetBIOS and current DHCP leases (if available). It Probes every IP addresses on the local network for open TCP ports 445 and 139. Machines that have these ports open will be infected by copying the ransomware module from the original infected system.
The ransomware also uses a tweaked edition of Minikatz tool, which arms the malware to extract network administrator credentials out of the machine's primary memory. In the event the Trojan is unable to exploit SMB related vulnerabilities, it will run the said tool to capture the credentials and execute on other machines using PsExec and WMIC to infect them.
Target Industries
Government, Harbour terminals, Airports, Electricity grids, Banks, Factories (mining and steel), Insurance companies, Pharmaceutical, Military, Russian steel, and Metro transportation
Is there a Kill Switch?
Security researchers have identified something similar to a “Kill Switch”. It mostly appeared as a vaccine as it cannot be used centrally (by registering as a domain) to stop the spread across the globe. Its utility is limited to the local system. By creating a read-only file under C:Windows using the name “perfc” it is possible to stop the encryption with the current version of NotPetya.
Although, this blocks NotPetya from executing, it doesn't stop it from spreading on the network. Note, the ransomware is designed to spread internally within an hour or so from its first hit.
How can this be prevented?
