[Correction: An earlier version of this post inaccurately implied that the NSA did not inform Microsoft about the EternalBlue exploit. They did so once the NSA’s systems had been compromised. It also stated that Windows systems that are updated with latest Windows security updates will not be susceptible to the NotPetya ransomware. In fact, even patched systems could still be exploited via other means like NotPetya’s infection route via phony “updates” to the accounting program MeDoc. We apologize for the error.]
First it “slammed” the Internet and “swept” Europe, then it was “something much worse,” and now it’s a “distraction.” This week’s “NotPetya” malware attack on Windows systems has, depending on who you believe, either spread like a devastating cyber-pandemic or amounted to an over-hyped flash-in-the-pan.
In the Ukraine, which took the brunt of the attack, NotPetya certainly disrupted government and business operations, affecting hundreds of companies and offices. The Russian government has been suspected as a possible origin for NotPetya, and on Friday NATO said they strongly suspected a “state actor” or private entity with close ties to a state. Yet, amidst speculation about the outbreak’s source, another part of the NotPetya story could be important down the line too: How might it inspire future malware outbreaks?
“It’s very disturbing that ransomware has started to move laterally,” says Mounir Hahad, senior director and head of Cyphort Labs. “You could do a lot of damage this way.” By lateral movement, Hahad means that NotPetya is designed to spread within local networks from computer to computer, devastating organizations.
Hahad and colleagues have been studying samples of NotPetya in their sandboxed network and posted their findings on Cyphort’s blog earlier this week. Hahad says that NotPetya is a kind of mashup piece of malware that takes WannaCry’s ransomware approach and combines it with a 2016 piece of ransomware called Petya. NotPetya’s creators also threw three modules into the mix (one of which was hacked from the NSA) that effectively create a virulent spreading mechanism for the malware.
It’s this last part that Hahad says could be further mutated to make more dangerous attacks still.
WannaCry, he says, encrypted a user’s files in affected computers and on mounted disks attached to those computers. Then it flashed the now famous warning screen that demanded payment in Bitcoin to decrypt the files.
NotPetya does all this too, upon infection of a system through a hacked “update” to accounting software from a Ukranian software company. And if NotPetya were pure ransomware—designed to maximize the number of ransom payments—it might have stopped there. But NotPetya can also, depending on the level of access it has, make the further devastating attack on a system of rewriting a hard drive’s so-called master boot record, which tells the computer what operating system to run and where to find it.
A hacked computer running this second encryption routine will display a misleading boot screen telling the user it’s trying to “repair” the hard drive’s file system. It says, “WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!”
Users who, understandably, heed the dire warning are unfortunately allowing the computer time to both encrypt the disk and search for ways to infect other systems within the computer’s local area network.
Ultimately the process completes and puts up a text-only screen that tells the user to send $300 in Bitcoin to a fixed address and then to send an email to an address where one can allegedly receive the decryption key.
Hahad says he’s not aware of anyone actually being able to decrypt their systems. In any event, the email address (which reportedly is the same address on every infected computer) was disabled by the ISP soon after NotPetya began spreading.
“The only communication with these threat actors was going to be through that one email account that got terminated pretty quickly by the ISP,” he says. “The second mistake was the fact that there’s a single Bitcoin wallet. That’s the way of tracking who’s making the payments and who isn’t. So if somebody posted a payment to that wallet, anybody else could say, ‘Hey, I’m the one who posted that payment, give me my key.’ There are multiple flaws with the payment method, which clearly indicates that those guys may not have been interested in generating revenue.”
The most original part of NotPetya, Hahad says, is its method of propagating itself within a local network that could infect many other computers within an organization.
“Previous ransomware was mostly targeting the computers they hit via phishing campaigns, and when they got really sophisticated, they started looking for mounted drives on your laptop and encrypted those as well,” he says. “This one goes well beyond that. It’s jumping the gap between your computer and other computers in your organization. So that’s a level above the typical ransomware that we’ve been seeing. So it definitely requires more attention.”
The gap-jumping mechanism, Hahad says, involved three known Windows exploits, including the EternalBlue hack that the NSA allegedly developed but kept from Microsoft until a hack of NSA systems threatened to compromise its secrecy.
Hahad says that if a system has been patched and updated with the latest Windows updates, it won’t be susceptible to the “lateral spreading” he described, via the EternalBlue exploit. And users who do not perform regular backups of their systems will simply lose their files with no recourse to recovering them, he says.