NotPetya: Ukrainian cyber attack goes global

Last week, another massive cyber attack hit companies across the world. The infection began in Ukraine – taking down computer systems in banks, power companies and Kiev’s main airport – but has spread to thousands of organisations, including Danish transport firm Maersk, French construction materials company Saint-Gobain, Irish pharmaceutical company MSD and Spanish food giant Mondelez.

The malware responsible was first thought to be Petya, but Kaspersky Lab says that, although the virus closely resembles Petya, it is “a new ransomware that has not been seen before”. As a result, many security researchers have dubbed it NotPetya.

What is Petya/NotPetya?

Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Windows operating systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, and demanding a bitcoin payment in order to regain access to the system.

Variants of Petya were identified in May last year, and propagated via infected email attachments. The NotPetya variant first appeared on 27 June this year, but as we reported last week, this variant of NotPetya isn’t technically ransomware – it’s a wiper. In other words, even if you pay the ransom, your data can’t be recovered.

NotPetya takes advantage of the same Server Message Block (SMB) exploit – EternalBlue – that’s used by WannaCry, and it can also spread via another SMB exploit leaked by the Shadow Brokers – EternalRomance. Microsoft has confirmed that patches for both vulnerabilities are available.

How does NotPetya differ from WannaCry?

As with WannaCry, NotPetya has a wormable component that allows it to spread laterally around connected networks. However, it’s method differs from WannaCry in a number of ways. It uses a payload that infects the computer’s master boot record, overwriting the Windows bootloader, which then triggers a restart. When the computer reboots, the payload is executed – it encrypts the master file table (MFT) of the NTFS file system, and then displays the ransomware message. While this is happening, a simulation of the output of CHKDSK, the Windows file system scanner, is displayed on-screen, suggesting that the hard drive is actually being repaired.

According to Nick Bilogorskiy, senior director of threat operations at Cyphort, NotPetya also differs from WannaCry in that:

  • NotPetya is initially distributed over email – specifically, a malicious link sent from an unknown address.
  • NotPetya does not try to encrypt individual files. Instead, it encrypts the master file table.
  • It has a fake Microsoft digital signature appended, copied from Sysinternals.
  • NotPetya also appears to be able to spread laterally using Windows Management Instrumentation (WMI).
  • Some payloads include a variant of Loki Bot, a piece of malware designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from web browsers, and a variety of cryptocurrency wallets.

Sign up for The Daily Sentinel for updates on this story and all the latest cyber security news and advice.

2 Comments

  1. Piet Snot 4th July 2017
    • Luke Irwin 5th July 2017

Leave a Reply

Your email address will not be published. Required fields are marked *