Your message is highly valuable for us. One of our experts will follow up with you within 1-2 business days to discuss your request or to inquire for additional information if needed.
With the recent outbreak of Petya (NotPetya, ExPetr) Malware, in our new cybersecurity blog post Infopulse wants to inform our clients and partners about the latest findings and analysis regarding the massive cyberattack, which affected businesses across Europe and the USA.
NotPetya Malware Summary
On Tuesday, June 27, 2017, a major multi-pronged cyberattack campaign similar to the WannaCry campaign hit multiple companies across primarily Central, Eastern, and Southern Europe, with a focus on Ukrainian, German, and Polish companies. At the same time, the Nordic, Western Europe and Asian countries reported very limited attacks and seem to be mostly unaffected by the threat.
As in the case of the WannaCry attack, NotPetya malware targeted large businesses. Known affected companies include Maersk, Merck, WPP, DLA Piper, Nuance Communications, Deutsche Post, Metro, Evraz, Rosneft, Mondelez and more in the USA, Ukraine, the UK, Denmark, Israel, Norway, France, Germany, India, Netherlands, Poland, Russia, Spain, etc. reaching 20,000 machines and businesses across 60+ countries.
NotPetya Attack Mechanism
There is a disagreement in the security community whether the latest malware campaign featured a new version of the Petya.A ransomware family or is a completely new threat. While having many similarities and sharing parts of its code with the original Petya.A ransomware family, the new malware has been called ExPetr, Petna and NotPetya due to distinct differences with original Petya.A.
While no single element of the attack is sophisticated, the combination of:
- exploitation of unpatched vulnerabilities
- distribution mechanisms (if the software update theory is correct)
- multiple mechanisms for lateral movement as well as
- exploiting suboptimal hardening of endpoints
made the overall attack quite potent and raised concerns in regards to protection against similar attacks.
NotPetya Attack Mechanism
The low quality of the original Petya.A code and an easily detectable kill switch, allowed to quickly mitigate the attack. The latest evolution of “Petya/NotPetya” doesn’t require machines to have the same vulnerabilities, and may have different ways of distribution.
The initial attack vector is not confirmed at this time. The attack seems to use the same primary NSA EternalBlue and DoblePulsar exploits that were the backbone of the WannaCry ransomware campaign in mid-May 2017. However, it has more mechanisms to spread within a network compared to WannaCry.
As reported by IBM X-Force, Cisco, Kaspersky and others, there are several opinions about the infection scenario:
- Distribution via the hijacked software update of M.E.Doc (Ukrainian tax and document management software).
- Classic fishing attacks narrowed to well-known big companies on financial, transport and governance areas
- Watering hole attack (through the compromised media websites).
- Attack scenario
- Upon successful infection, the master boot record (MBR) and/or selected files are encrypted, and the user is requested to pay the equivalent of $300 in bitcoins to decrypt their data. Those who paid the ransom, however, have not received decryption keys.
- According to Kaspersky Labs, the malware might be a wiper with the aim to destroy the data and was hidden behind the ransomware attack.
At this moment, there is no known mechanism to decrypt encrypted files and folders. Independent researchers informed that the malware encrypts service part of files and make these files not accessible and unrecoverable. However, Microsoft together with the Ukrainian and international companies have reported to be working on decryption tools.
CyberSecurity Protection against Encryption Attacks
At this time, we believe the initial attack wave is over and the threat is currently under control. Most companies were quick to recover from the attack. Sensitive data was unaffected, as the malware had no means to transfer data to the third parties. The direction of the attack and malware distribution raised concerns whether it was a single-person poorly written prototype released too early or a focused sabotage attack, organized with high-level skills. Per Microsoft, this attack may have been only the first wave.
Most ransomware families are continuously refined and updated, and we must expect that both this specific variant and others will continue to be a significant risk factor in the foreseeable future. The majority of the affected machines had an outdated Windows 7, which is not supported by Microsoft and is not recommended for businesses. For any business, it is strongly recommended to implement a holistic approach towards cybersecurity.
Infopulse will continue to monitor the situation. Our company makes all efforts to protect own infrastructure and avoid any negative destructible influence on our clients.
This write-up will track known developments, and information contained herein is subject to change.