UPDATE: 'NotPetya' ransomware at heart of new global campaign

News by Max Metzger

A yet-indeterminate ransomware strain has infected systems all over the world with particular enthusiasm for Ukrainian targets.

The global ransomware campaign that is now being billed as ‘NotPetya' has ripped its way through government bodies, critical infrastructure and large businesses.

Ukraine was most heavily hit. Businesses and government bodies across the country were seized by the ransomware. The Kyiv Metro system, “several chains” of Ukrainian petrol stations, Kyiv's Boryspil airport and the country's deputy prime minister all appear to have been hit.  The Ukrainian government kept its sense of humor about the situation

It then went on to hit targets in Poland, France, Germany, Spain, the UK, the Netherlands, India, Israel, Australia and the US. Other companies include Russian oil company Rosneft and shipping operator Maersk, which confirmed on Twitter that its IT systems were down across “multiple sites.”  

The world's largest advertising firm, WPP, also confirmed it fell victim to the attack and employees were instructed to unplug their computers. One of its most recent victims was a Tasmanian chocolate factory.

The patient zero machines were apparently found in Ukraine, infected through a number of vectors. The first to be reported was a piece of tax accounting software called Doc.ME, one of the only two government-approved and thus legal accounting softwares in the country. The ransomware was hidden as an update to the software and when users downloaded it, this helped to spread the ransomware around.

Kaspersky Lab told SC that another infection source involved the hacking of the website for the Bakhmut region of Ukraine, which was then used for a watering hole attack, helping to distribute the malware.  A spokesperson added, “to our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update.”

From there it spread all around the world through connected networks. Bogdan Botezatu, senior e-threat analyst at Bitdefender told SC, “we strongly advise all companies that have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.”

Comparisons to the WannaCry attack came thick and fast, not least for the scope, scale and speed of the attack and the use of ransomware and the NSA exploit EternalBlue. But this attack bears different markings from last month's onslaught. Dave Palmer, director of technology at Darktrace told SC that “unlike the recent WannaCry attack, this one appears to be targeted – it doesn't spread over the internet from infected victims to the majority of internet users.”

Instead, added Palmer, “it is being snuck into businesses and then rapidly spreads within, to do damage to the business and its supply chain.”

David Montenegro, an IT researcher also known as @cyberinsane posted a picture of a locked computer on Twitter.

A variety of targets were hit in the UK. A spokesperson for the National Cyber Security Centre issued a statement saying, simply, “We are aware of a global ransomware incident and are monitoring the situation closely.”

NHS Digital said on Twitter than “There are no known significant cyber-security threats affecting health.” Last month the global WannaCry campaign took out 48 NHS trusts, leaving hospitals all over the UK paralysed.

Much like WannaCry, the ransom appears to be quite cheap, charging a relatively meagre US$300 (£234) for decryption. The bitcoin wallet it is directing victims to has already received 45  transactions.

Javvad Malik, security advocate at AlienVault, told SC Media UK that it was “spreading via EternalBlue, the NSA vulnerability that was leaked by Shadowbrokers and spreads via the SMB1 protocol." EternalBlue was the same exploit that allowed WannaCry to spread to hundreds of thousands of endpoints in over 150 countries in a matter of hours.

Though a fix for EternalBlue has been released, it appears that many have not yet applied it, as evidenced by WannaCry recurrences in Honda factories last week.

The recurrence of these vulnerabilities even after not only patch releases, but earthshaking events has not been received gladly by the infosecurity community. Gavin Millard, technical director at Tenable Network Security told SC that, “The publicity around WannaCry couldn't have been larger, probably eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”

F-Secure's CRO, Mikko Hypponen has taken to twitter to admonish those who have not yet patched and left themselves open to this kind of attack.

Exactly what kind of ransomware was at fault here has been a central question in the last 12 hours. While Petya, or a variant of it was initially blamed, researchers changed their tune soon after. KasperskyLab quickly established  that it was not Petya, “but a new ransomware that has not been seen before,” and dubbed it NotPetya or ExPetr.

Bitdefender maintains, as the company first reported, that the ransomware used is GoldenEye, an improved version of Petya. GoldenEye, Bitdefender reasons, shares chunks of code with Petya, and combines components from Petya, WannaCry and other versions of GoldenEye, making it a new threat.

The main similarity this strain shares with Petya, is its signature move. Petya was noted for encrypting its target's Master Boot Record, as does NotPetya.

Fabian Wosar, Fabian Wosar, an Emsisoft security researcher, wrote that whoever created NotPetya most likely “ripped the boot loader code straight out of Petya and uses it for their own purposes now. But they implemented their own ransomware, their own worm, their own dropper, and pretty much everything else on top of it.”

Some think that the trappings of Petya act as a disguise, citing the fact that as a piece of money making malware, it performs badly. To think of this even as ransomware, wrote security researcher, the Grugq, is a red herring: “This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware'.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews