Breaking down the ransomware code
Since the first infection, security teams have been tearing into the code to find out how it works. Here's what we know so far.
Between 10 and 60 minutes after infection, the cyber-horror fires up and forces the PC to reboot using the shutdown.exe tool. Upon restarting it flashes up a screen that looks like CHKDSK is running. However, instead of checking the hard drive for faults, the malware is busy encrypting files.
If you haven't been infected yet and see this CHKDSK screen, you might save a lot of files from being encrypted by yanking out the power cord and/or battery at that moment. You can then boot from live CD or a USB stick and recover your files.
If successful, the ransomware encrypts the master file table in NTFS partitions and overwrites the master boot record with a customized loader. On boot up, this displays the ransom note asking for $300 in Bitcoin and requests the victim send the Bitcoin details to the aforementioned now-defunct email address.
The software also encrypts individual files on the PC as well, using 128-bit AES and then encrypts the AES key with a public 2048-bit RSA key. The encrypted key is saved into a README file. The plan, we suppose, is that when you cough up the ransom, the malware's masterminds use their private RSA key to restore the AES key, which is then used to unscramble the victim's documents.
The malware performs a scan of the network for vulnerable SMB file-sharing services so that it can spread via EternalBlue and EternalRomance. It also scans the computer's RAM to harvest login credentials – preferable any admin or domain admin creds present – so that these too can be used to spread the malware via remote command-line tools PsExec and WMIC. These latter pair appear to be the primary method of propagation.
Ryan Kazanciyan, chief security architect at endpoint lockdown specialists Tanium, told The Register the modified EternalBlue exploit was most likely included as a backup method of propagation.
"This method of lateral movement [through a network] is the same that hackers have been using for over five years," he said. "If an IT administrator takes basic security hygiene there are steps that would have closed a lot of avenues to the malware, but this isn't always done."
There are reports that the malware also exploits a flaw in Microsoft Office – CVE-2017-0199 – that was patched in April to execute malicious code smuggled in a document. Evidence for this is, however, not cast iron.
This new nasty doesn't try to escape the network using an external scanning tool – concentrating instead on pwning just the network it's currently on. That raises some interesting questions, notably: how is it spreading so far and so fast?
What was the point?
With a virus outbreak of this type, the initial suspicion for an infection point relies on users clicking on an infected attachment in an email. It's traditional, it works well, and it's easy to scale.
But NotPetya doesn't appear to use this method of propagation – or at least no one has found a copy of a smoking-gun email containing the attack code, although Ukrainian police say some phishing emails were sent. Instead the finger of blame is now pointing at MeDoc as the source of the infection.
While MeDoc is denying it was taken for a joyride by hackers, there are some important clues that might implicate the financial software house:
- The vast majority of infections are in the Ukraine and Eastern Europe, where MeDoc is popular.
Interestingly, Maersk recently advertised for staff familiar with MeDoc, suggesting the shipping giant also uses the software. DLA Piper and WPP didn't respond to inquiries at to whether they too use MeDoc code. A chocolate factory in Australia was also infiltrated. It is possible someone within their flat network – perhaps over in Europe – installed a copy of MeDoc, became infected, and spread the nasty across the world thanks to Transatlantic VPNs and other links.
- There's the post-alert infection rate – very few infections have been spotted outside Eastern Europe and the number of reported infections isn't rising as quickly as expected. Part of this is down to the security industry getting in on the action, but it does suggest that email isn't the infection point and MeDoc is.
If hackers get into the firm's computers, it's trivially easy to use existing automatic update systems to push out malware to unsuspecting victims – in May Microsoft warned about just this point after catching miscreants at it.
As more details about the malware come in, the whole affair is looking very fishy and atypical. There is a confluence of little pieces of evidence that suggest this is not a run-of-the-mill criminal malware attack, but might serve a darker purpose.