Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

This isn't ransomware – it's merry chaos


Analysis It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.

The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out businesses from shipping ports and supermarkets to ad agencies and law firms. Once inside a corporate network, this well-oiled destructive program worms its way from computer to computer, trashing the infected machines' filesystems.

Although it demands about $300 in Bitcoin to unscramble the hostage data, the mechanisms put in place to collect this money from victims in exchange for decryption keys quickly disintegrated. Despite the slick programming behind the fast-spreading malware, little effort or thought was put into pocketing the loot, it appears.

"The superficial resemblance to Petya is only skin deep," noted computer security veteran The Grugq. "Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [latest malware] is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”

To put it plainly, this code was built to destroy, not extort.

Here's a summary of the NotPetya outbreak:

  • The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Mimikatz to extract network administrator credentials out of the machine's running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them. It can either scan subnets for devices or, if it's running on a domain controller, use the DHCP service to identify known hosts.
  • It also uses a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency's stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities were patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
  • Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
  • One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
  • With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation's hard drive's MBR so that only the malware starts up when the machine reboots, rather than Windows, allowing it to display the ransom note and demand an unlock key; it can also encrypt the NTFS filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people's data.
  • Needless to say, don't pay the ransom – there's no way to get the necessary keys to restore your documents. It appears the malware doesn't provide enough information to the extortionists for them to generate a correct unlock key, so it would be impossible to obtain a working decryption key from the crims. And the means to contact the miscreants after paying the money is now shut off, so you're out of luck regardless.
  • Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You'd be surprised how many outfits are too loose with their admin controls.
  • The precise affected versions of Windows aren't yet known, but we're told Windows 10's Credentials Guard thwarts NotPetya's password extraction from memory.
  • Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

In the beginning

So far, the vast majority of infections have occurred in Ukraine and Russia, but some big names in the West have also suffered. International advertising conglomerate WPP was taken offline (even its website was down), global law firm DLA Piper was infected, pharmaceutical goliath Merck was busted up, and, most worryingly, shipping goliath Maersk is warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were borked for hours by the malware.

In Ukraine itself, which appears to be ground zero for the attack, the situation was critical. Large numbers of businesses were caught by the software nasty – the contagion has broken the automatic radiation monitoring systems in Chernobyl, meaning some unlucky scientists are going to have to take readings manually for the time being. Energy companies were hit as well as government agencies.

According to Ukraine's cyber-cops, as well as phishing emails booby-trapped with malware-laden attachments, financial software firm MeDoc was used to infect computers in the ex-Soviet nation. We're told miscreants managed to compromise a software update for the biz's products, which are widely used in the country, so that when it was downloadable and installed by victims it contaminated their network with NotPetya. If this software was running with domain admin access, it would be immediately game over.

MeDoc issued an early statement confessing "our server made a virus attack," but has since U-turned on Facebook, denying that it is responsible.

The tax software maker admitted it was hacked but said its last software update was sent out on June 22, just before Tuesday's attack. However, police said that on June 27 the update servers – upd.me-doc.com.ua – pushed out a 333KB download to customers that unpacked a RUNDLL32.EXE containing the NotPeyta nasty. Oops.

The executable, by the way, lightly XOR encrypts itself and uses faked Microsoft digital signatures in an attempt to fool antivirus scanners. When the nasty started spreading, just two AV engines on the VirusTotal roster detected it as dangerous.

What's in a name?

While it was first assumed that the malware was a new strain of the Petya ransomware family that surfaced last year, that is now in doubt due to some key differences in code. The changes are so striking that Kaspersky Lab has gone as far as to dub the code "NotPetya."

One thing is certain – if you are infected with the malware and it has taken a mixing spoon to your bytes, you're screwed. There doesn't appear to be a way to restore PCs with scrambled filesystems, and no way to pay the ransom, because the Posteo webmail address given to pay the $300 ransom has been shut down.

"Since midday it is no longer possible for the blackmailers to access the email account or send emails," Posteo said. "Sending emails to the account is no longer possible either."

Similar topics


Other stories you might like

  • What's the big deal with service meshes? Think of them as SDN at Layer 7

    A technical yet demystifying dive into networking tech you now can't avoid

    Systems Approach I remember when I first heard about Service Meshes in 2017, and wondering what the big deal was. Building cloud applications as a graph of microservices was commonplace, and telcos were hard at work inventing yet other ways to chain together virtualized network functions. Service graphs, service chains, service meshes… how many ways do we really need to talk about composing complex systems from a collection of smaller components?

    It wasn’t until I recognized a familiar pattern that I got it: a Service Mesh is just SDN at Layer 7. That’s probably what happens when SDN is the hammer you keep hitting nails with, but I’ve come to believe there is value in that perspective.

    The figure below highlights the similarities between the two scenarios, both of which include a centralized controller that issues directives to a distributed set of connectors (physical/virtual switches in one case, and a sidecar container in the other case) — based on a combination of policy intents from above and monitoring data reported from below. The primary difference is that the SDN controller on the left is controlling L2/3 connectivity and the Service Mesh on the right is controlling L7 connectivity.

    Continue reading
  • Mars race: China dreams of nuclear rockets, manned bases, and space elevators

    We're looking forward to the late 21st-century colony wars

    Over the next quarter century, China wants to set up a permanent base on Mars for "large scale development of the Red Planet," and install a sci-fi carbon-nanotube elevator to shuttle goods between the surface and spacecraft in orbit.

    That’s according to the China Academy of Launch Vehicle Technology (CALT), the country’s largest rocket maker, which described a road-map outlining the Middle Kingdom's ambition to explore the unforgiving dust world. Missions to Mars are planned for 2033, 2035, 2037, 2041, and 2043 quite possibly using nuclear-propelled spacecraft.

    In a speech, CALT’s President Wang Xiaojun said his state-owned organization first intends to send robots to Mars to collect samples of material to study back on Earth. These machines will also scout out good locations to develop a human settlement.

    Continue reading
  • Bridging the observability gap

    Trace the journey through all those microservices in the background

    Sponsored In modern IT, visibility is everything. IT admins and Site Reliability Engineers (SRE) survive on their ability to see what's happening in their systems. Unfortunately, as systems get more sophisticated, it has become harder to see what they're doing. That's why the industry is promoting observability as the evolution of existing concepts like monitoring and metrics. Vendors are stepping up with tools to address a growing visibility gap.

    Continue reading
  • Google: About that whole getting rid of third-party cookies thing – we're gonna need another year or so

    Plan to reinvent advertising turns out to be more difficult than expected

    Google, which makes the only major browser not blocking third-party cookies by default, has revised its commitment to phase out third-party cookies by 2022.

    The super-corp's biscotticide is now scheduled to begin in mid-2023 and run through late 2023.

    Third-party cookies refer to tracking files deposited in one's browser when visiting a website that includes code interacting with third-party domains. The firms associated with these domains, typically marketing and analytics businesses, check for the presence of their cookies across different websites and use this information to build marketing profiles and to target ads based on behavior.

    Continue reading
  • These six proposed bipartisan antitrust laws put Big Tech in the cross-hairs – and a House committee just OK'd them

    Well, it's a start

    The US House Judiciary Committee this week approved half a dozen major bipartisan antitrust bills aimed at clamping down on the growing power of Big Tech and its monopolization of some markets.

    The panel, led by Jerry Nadler (D-NY), debated for nearly 30 hours on Wednesday and Thursday to advance the wide-sweeping six-bill package. The proposed laws includes all sorts of measures to prevent companies like Google, Apple, Amazon, Microsoft, Facebook, and others from dominating their sectors of the technology industry.

    There was likely plenty of lobbying and other wrangling going on in the back and foreground over the exact wording of the package. For instance, there was a concern by some lawmakers that Microsoft would end up avoiding certain provisions in the proposed acts that would otherwise hit Google and Apple. Tweaks were made – such as removing "mobile" from "mobile operating system" in the fine-print – to ensure no one was wriggling out.

    Continue reading
  • You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities

    No one wants to be pwned by a drive-by RCE

    A Berlin startup has disclosed a remote-code-execution (RCE) vulnerability and a wormable cross-site-scripting (XSS) flaw in Pling, which is used by various Linux desktop theme marketplaces.

    Positive Security, which found the holes and is not to be confused with Russia’s Positive Technologies, said the bugs are still present in the Pling code and its maintainers have not responded to vulnerability reports.

    Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters. It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk. The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.kde.org to gnome-look.org and xfce-look.org.

    Continue reading
  • Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines

    Throws a bone to complex enterprise deployment, too

    The FIDO Alliance, which operates with no smaller mission than to "reduce the world's over-reliance on passwords", has announced the release of new user experience (UX) guidelines aimed at bringing the more technophobic on board.

    Launched back in 2013 as the Fast Identity Online Alliance, the FIDO Alliance aims to do away with passwords altogether through the introduction of standards-compliant "authenticators" including USB security dongles, fingerprint readers, Trusted Platform Modules (TPMs) and more.

    While the organisation's standards, which were updated with the launch of FIDO2 in 2018, have enjoyed adoption in the majority of web browsers and with a range of companies, they're still seen as unusual and even inconvenient compared to the good ol' username and password combo – which is where the new UX guidelines come in.

    Continue reading
  • UK's Vodafone network runs trials on standalone 5G in London, Manchester and Cardiff

    These are networks that are not dragged down by LTE core

    Vodafone has launched 5G SA (Standalone) trials in London, Manchester, and Cardiff in its largest test of the technology yet.

    The commercial launch has allowed the carrier to experiment with new ways to commercialise its network, including network slicing – where a portion of network is dedicated to a specific customer for their exclusive use. It will also allow customers to test 5G SA devices on a live, public network.

    Vodafone selected Ericsson's dual-mode 5G core network as the dedicated provider for this trial. It follows trials at Coventry University in 2020, and a separate trial in Spain.

    Continue reading
  • What you need to know about Microsoft Windows 11: It will run Android apps

    The operating system they said shouldn't exist

    Microsoft on Thursday announced Windows 11, or tried to as an uncooperative video stream left many viewers of the virtual event flummoxed by intermittent transmission gaps in the opening minutes.

    The technical issues proved bad enough that Matt Velloso, Technical Advisor to the CEO at Microsoft, suggested trying the YouTube video stream as an alternative to the Microsoft-hosted one.

    But with some of the features already known as a result of a leaked build last week, the impact of the intermittent video dropouts was less than it might have been.

    Continue reading
  • Russia spoofed AIS data to fake British warship's course days before Crimea guns showdown

    Great powers clash while the rest of us sigh and tut at data feed meddling

    Russia was back up to its age-old spoofing of GPS tracks earlier this week before a showdown between British destroyer HMS Defender and coastguard ships near occupied Crimea in the Black Sea.

    Yesterday Defender briefly sailed through Ukrainian waters, triggering the Russian Navy and coastguard into sending patrol boats and anti-shipping aircraft to buzz the British warship in a fruitless effort to divert her away from occupied Crimea's waters.

    Russia invaded Ukraine in 2014 and has occupied parts of the region, mostly in the Crimean peninsula, ever since. The UK and other NATO allies do not recognise Ukraine as enemy-held territory so Defender was sailing through an ally's waters – and doing so through a published traffic separation scheme (similar to the TSS in the English Channel), as Defence Secretary Ben Wallace confirmed this afternoon.*

    Continue reading
  • Lego bricks, upcycled iPhone lenses used in new low-cost, high-res microscope

    Full instructions given away for free, to 'nurture natural curiosity'

    A trio of boffins at the Georg August University Göttingen and Münster University have put together a low-cost yet high-resolution microscope for educational users – using smartphone parts and Lego bricks.

    "An understanding of science is crucial for decision-making and brings many benefits in everyday life, such as problem-solving and creativity," said Timo Betz, professor at the University of Göttingen and co-author of the paper detailing the project. “Yet we find that many people, even politicians, feel excluded or do not have the opportunities to engage in scientific or critical thinking.

    "We wanted to find a way to nurture natural curiosity, help people grasp fundamental principles and see the potential of science."

    Continue reading

Biting the hand that feeds IT © 1998–2021