On June 27, 2017, a digital attack campaign struck banks, airports and power companies in Ukraine, Russia and parts of Europe. Security experts who analyzed the attack determined its behavior was consistent with a form of ransomware called Petya. They also observed the campaign was using a familiar exploit to spread to vulnerable machines.
Let’s take a deeper dive into how this ransomworm campaign evolved. To help us in our effort, below is a timeline of how the attack unfolded.
05:00 – 06:00 EDT – June 27, 2017
The first signs of a digital attack campaign emerge on Twitter. Early in the morning, Dragos founder and CEO Robert M. Lee tweets out reports indicating that Kyivenergo, an electric power supplier to Kiev, has suffered a hacking attack that’s affected Ukrenergo, a Ukrainian power distributor which likely suffered an infection of Industroyer in December 2016.
Kyivenergo hacked, Ukrenergo affected https://t.co/vVRZTC8kjk > very little known right now but worth watching
— Robert M. Lee (@RobertMLee) June 27, 2017
Around that same time, Danish power distributor confirms its “systems are down across multiple sites and business units.”
We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.
— Maersk (@Maersk) June 27, 2017
The company follows up with a statement to its website indicating it’s been a victim of a “cyber attack.”
Other affected organizations then begin coming forward. Among them are Ukraine’s government, France’s Saint-Gobain, the offices of multinationals in Spain and the British advertising group WPP.
08:00 EDT – June 27, 2017
Threat intelligence provider Symantec Security Response confirms that Petya ransomware is responsible for the digital attacks. In a tweet, it reveals the threat is using EternalBlue.
Symantec analysts have confirmed #Petya #ransomware, like #WannaCry, is using #EternalBlue exploit to spread
— Security Response (@threatintel) June 27, 2017
Developed by the U.S. National Security Agency (NSA), EternalBlue is an exploit that abuses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. A hacker group known as the Shadow Brokers published this exploit along with other Windows-based exploits developed by the NSA on the web in April 2017.
Attackers capitalized on this exposure by incorporating the exploit into a new variant of WannaCry ransomware. Equipped with this attack code and worm-like capabilities, WannaCry spread across 150 countries and affected more than 300,000 organizations beginning on May 12, 2017.
10:00 EDT – June 27, 2017
Kaspersky Lab tweets out a statement clarifying that the ransomworm is not a variant of Petya but is actually a new ransomware they named “NotPetya.” They also reveal the threat has affected approximately 2,000 organizations at the time of their posting.
The latest from @kaspersky researchers on #Petya: it’s actually #NotPetya pic.twitter.com/uTVBUul8Yt
— Kaspersky Lab (@kaspersky) June 27, 2017
As explained by information security researcher “the grugq,” researchers’ struggle to correctly identify the ransomware stems from some code shared between Petya and the new threat:
“The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.'”
Others in the security community feel the purpose behind the ransomware is inconsequential to its code structure, sequencing which is too similar to Petya’s to overlook:
regarding the #PetrWrap name pic.twitter.com/rCrXsE5GfW
— hasherezade (@hasherezade) June 28, 2017
Later on, researchers at Kaspersky Lab publish a larger analysis of NotPetya. They reveal that the ransomware does use EternalBlue, as well as EternalRomance, another exploit targeting some Windows machines as infection vectors.
Kaspersky also discloses NotPetya’s ability to use Mimikatz to extract administrative credentials from an infected system using the lsass.exe process. The threat can then use other tools, such as Windows Management Instrumentation (WMI) or PsExec, to infect other computers on a network.
12:00 EDT – June 27, 2017
Ukraine’s police confirm MeDoc, an accounting software package that many Ukrainians use to pay their taxes, as a NotPetya infection vector.
Кіберполіцією попередньо установлено, що перші вірусні атаки на українські компанії могли виникнути через вразливості ПЗ M.E.doc. pic.twitter.com/MXV7ODtaoM
— Cyberpolice Ukraine (@CyberpoliceUA) June 27, 2017
MeDoc responds by denying any responsibility for the attacks in a Facebook post, noting it pushed out its last update starting on June 22 – five days before the attack occurred. But some in the security community say they have the logs to prove that MeDoc was the source of the ransomworm campaign.
Among them, Malwarebytes releases a blog post later that afternoon reiterating security researchers’ belief that an update released by MeDoc at 10:30 GMT on June 27, 2017, allegedly installed the malware on the “victim zero” system.
13:00 EDT – June 27, 2017
Security researchers begin to share ways by which affected users and businesses can counteract the ransomware. Some note NotPetya runs on boot. As a result, victims can prevent the ransomware from encrypting their files by quickly powering down before Window boots or if they see a “Check Disk” message.
Others like Dave Kennedy, founder of TrustedSec and Binary Defense, reveal administrators can stop NotPetya from writing/executing by creating a file “C:\Windows\perfc.dat”.
Just confirmed it stops execution.
At lease for this variant. https://t.co/YmYKFdqdKJ
— Dave Kennedy (ReL1K) (@HackingDave) June 27, 2017
The ransomware looks for this file on an infected computer. If it discovers it, it exits its encryption routine. Administrators must install this file on every computer to forestall encryption, however. As a result, the file proves to be more of a vaccine than a killswitch.
05:00 EDT – June 28, 2017
Some in the security community tweet out that victims who have paid NotPetya are not getting their files back.
Victims keep sending money to Petya, but will not get their files back: No way to contact the attackers, as their email address was killed. pic.twitter.com/68vxThNIPM
— Mikko Hypponen (@mikko) June 28, 2017
Posteo, a German email provider, appears to have produced this turn of events on June 27, 2017, when they discovered someone abusing their services. As it writes in a blog post:
“Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”
With the NotPetya attackers’ email blocked, victims have no way of recovering their files if they didn’t have data backups already in place.
To protect against ransomware campaigns such as NotPetya, it’s important that users and businesses alike update their operating system software regularly, don’t click on suspicious attachments, and back up their critical data on a regular basis.
For more ransomware prevention tips, click here.