Petya Variant Cripples European Businesses
By Timothy Crosby
When WannaCry hit businesses throughout Europe - particularly the UK's National Health Service (NHS), Spain's Telefónica, Germany's Deutsche Bahn and FedEx - it caught everyone off guard. Headlines including numbers like "230,000 computers in over 150 countries" were common. Within four days there were kill switches found, Microsoft issued a patch for Windows XP (which it had stopped supporting three years earlier) and about $130,000 USD in Bitcoin was collected, the amount varying depending on who you listened to. What followed was a collective sigh of relief as industry professionals comforted themselves with the idea that it could have been so much worse.
Then, just over a month later, on June 27, 2017, the ransomware attack dubbed NotPetya by Kaspersky Lab, hit the Ukraine. The initial attack came through a hijacked accounting software server (M.E. Doc) that infected companies throughout that country and spread like wildfire, even affecting the National Bank of the Ukraine. NotPetya was eventually confirmed in over 80 countries, the hardest hit being the Ukraine, Germany, and Russia.
The businesses impacted across Europe include the Spanish company Mondelez International, makers of Oreo and Chips Ahoy cookies and the TNT division of FEDEX, who acknowledged that some of their systems will never fully recover. Mondelez International announced they expect revenues to be down 2-3% for the year as a direct result of the WannaCry and NotPetya attacks.
These two companies, however, appeared to be only collateral damage and not likely the intended targets of the attack. Most of the experts believe the attack targeted the Ukrainian power infrastructure and was politically-motivated. Many believe, as well, that the attack was carried out by a state sponsored group of either Russians or Ukrainian dissidents with Russian ties.
NotPetya, like WannaCry, was based on EternalBlue from the CIA leaked tools. So why the difference in how fast it spread and why so far? The answer lies in the way it was constructed. First of all, NotPetya, while still technically classified as ransomware, is built to only look like ransomware. Most ransomware uses a public/private key pair to encrypt, then decrypt the ransomed data. This requires a connection to an external key server. NotPetya generates a completely random key to encrypt the data regardless of what the popup warning states. Even if the victims paid the ransom, it was unlikely that they would retrieve their data. Needless to say, it's not your typical ransomware copycat.
Secondly, NotPetya could also infect patched systems. Many thought they only had to worry about unpatched systems, so they quarantined them after WannaCry. But NotPetya used a variant of Mimikatz to dump credentials and laterally move (like a hacker) to all system where any of those credentials worked. It then automatically created target network lists based on what the DHCP server knew about. The result was that NotPetya devoured businesses throughout Europe as collateral damage because they happened to be connected to another business that had one or two vulnerable systems. A vulnerability of this sort is as easy as an employee with a vulnerable work laptop connecting to the WiFi at their favorite Starbucks while someone with an infected system is connected. When that laptop returns to work it is, effectively, a Trojan horse ready to infiltrate the network -- and all with no human intervention required, no need to allow installation, require permissions or grant access.
The elephant in the room and the larger overarching problem is that most companies do not believe they are a target. They go through a complex risk analysis, performing a myriad of calculations to figure out that their expected losses in a malware breach equate to far less than the amount of funding required to create and implement a patch management system or replace systems running on Windows XP. The problem is, most of these risk calculations do not account for the target value of their ever-trusting customers, business partners or vendors, or the value of these systems themselves as a tool to attack other systems. 'M.E. Doc' probably did not think a state sponsored organization would target them as a small software company with very few credit cards, a relatively small staff, and low intellectual property value. A costly oversight as they missed their value as an attack platform for systems connected to the Ukrainian Power Grid.
Our advice to anyone that was infected with NotPetya -- beyond what we read in every other "How to Recover" article written - CHANGE your passwords. Mimikatz dumps passwords in clear text. If there was a backdoor or beacon out there at any point in the attack - the Mimikatz results would be the first thing exfiltrated. Have any of the servers and workstations infected by NotPetya on your network been accessed by a Domain Admin or the Helpdesk in the previous 48 hours?