It’s absolute mayhem right now in the cyber security world thanks to a ransomware attack called NotPetya that first struck in the Ukraine. The June 27th ransomware attack seems to have affected more than 12,500 computers and reached over 64 countries according to Microsoft. The primary target appears to have been the Ukraine. Experts have concluded that financial software firm MeDoc was the first victim and became a watering hole source for the spread of the attack.
The ransomware then spread through MeDoc’s software updates to their clients and then beyond. The investigation is still ongoing in regards to the spread, since the 63 other countries outside of the Ukraine that got affected had little or no connection to MeDoc. Some sources are pointing to email phishing as another distribution channel for the attack. Some of the more notable international companies that were impacted included: Merck, DLA Piper, AP Moller-Maersk, WPP, and even FedEx! These companies are each in different countries but also were some of the largest in their industry. Many of these victims are still not back in operation since the attack.
This particular cyber attack may mark a new paradigm mainly because of the sophistication and intent of the attack was not to make money.
This was an attack meant for sabotage and disrupt economies. The impacts of this attack are so significant that governments have responded internationally. Tomáš Minárik, who is one of the leading cyber security researchers for NATO, commented that:
“…as important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.”
Knowing how NotPetya works will help you to understand why it had such a devastating impact on its victims. Also, it will keep you and your company safe.
How it Works
Below are the most recent updates on how NotPetya works:
Delivery and Installation
NotPetya is not an executable file (.exe) like previous ransomware. Instead it is a .dll file which needs to be executed by another program. In the case of NotPetya, it was executed by MeDoc’s legitimate updater. Once MeDoc’s updater executes its standard process, it activates NotPetya, which installs on the machine. Below is a diagram from Microsoft of the chain of execution.
Whole Network Spread
The uniqueness of this ransomware is in its lateral movement capabilities. To specify this means that the ransomware infects the entire network and can easily bring down a company’s entire operation. This was made possible because the developers of NotPetya stole an exploit code developed by the US National Security Agency (NSA). This exploit takes advantage of vulnerabilities in Microsoft’s EternalBlue and EternalRomance.
NotPetya spreads by stealing any credentials that live on the network or re-uses credentials from existing active sessions. It also spreads by using file-sharing activity to transfer the malicious file across computers on the same network. Lastly it uses the same method from WannaCry in that it uses legitimate functionalities from unpatched machines to execute the encryption. The last method mentioned is where most small and medium sized businesses are exposed the most.
With the lateral movement capability of NotPetya, that means other cyber criminals can develop even more advanced attacks to disrupt economies.
Encryption, Lock-out, & Deletion
The impact of encryption is dependent on privileges that the infected computer has. However, due to the ransomware’s lateral nature, it is very likely NotPetya will gain access to an administrator account. NotPetya will reboot your system and it will look like your computer is simply scanning your files. What is really happening is that all your files are being encrypted, security experts have said the best thing to do is cut off power to your computer in this case. It will be hard to detect for many users since it appears like a normal process. Once NotPetya has encrypted your files your computer will reboot again and will display a ransom message demanding bitcoins. At this point your files are gone for good, unless you have a backup saved elsewhere. The ransom page appears exactly like the one from WannaCry, however security experts have pointed out that this time there were so many gaps in money transfer that it seems to be a front. The final stage is that NotPetya overwrites the encrypted files, which is unlike other ransomware where the name is simply changed. Also do not bother with the unlock key, it does not exist.
Protecting Yourself from NotPetya
Expert recommendations have been clear internationally they include the following:
- IT Updates: NotPetya and WannaCry took advantage of out of date systems. While it is often highlighted that small and medium businesses are vulnerable, many major businesses were affected. Microsoft has stated that anyone with an updated operating systems should be safe from NotPetya. Cybercriminals have been taking advantage of old vulnerabilities. Those who have not kept their systems, browsers, and applications up-to-date are at risk.
- Backups: In the case of NotPetya infecting your system or network you do not want to lose all of your data. Make sure you regularly backup your network to ensure you can recover in the event of an attack. Backups should ideally be offline and with a cloud at the same time, the more sources for backups the better.
- Automated Log Analysis & Alerts: Many of the companies affected could have identified the they were infected if they had baseline behaviors monitored not just of employees but software as well. NotPetya was delivered on behind the official update from MeDoc. Had companies been alerted when before their files got encrypted then could have saved some data. Automating log analysis can help to identify malicious activity happening on your network.
- Antivirus & Firewall: NotPetya is also easily block by strong antivirus software. Even Windows Defender is able to block it. Microsoft has recommended adding a rule on your firewall to block incoming SMB traffic on port 445. The bottomline is, keep your antivirus definitions up to date as well.
NotPetya has been one of the most devastating cyber attacks in recent memory. While it is contained for now, companies and governments everywhere need to be vigilant in their efforts to stay safe. Cyber criminals are gaining and developing more advanced tools by the day, and the most dangerous are the ones who have no profit motive, only sabotage.