<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

To be or not to be? Using the Mask of Ransomware

Posted: 30 June 2017

Virus in Disguise Ransomware Petya Wannacry

Many businesses and organisations are still reeling from the outbreak of the WannaCry ransomware attack, only to be hit again by another cyber-breach nicknamed Petya (also known NotPetya or Nyetya), but not all is as it seems… It’s now clear that the malware used the EternalBlue exploit to spread, which was the same vulnerability used by WannaCry. This time however, security experts including Kaspersky Labs claim the aim of the attack was not for monetary gain but to cause damage and destruction.

We’ve seen this all before haven’t we?

Early analysis shows that the malware was designed to mimic the “original Petya” ransomware.  This one in particular hijacks the master boot record (MBR) and encrypts data on an infected machine as part of a cybercriminal profit-oriented scheme. Ukraine was at the epicentre of the first attacks and some targets including banks, the government and power companies are still recovering. It then spread to hit other countries around the globe, affecting some high profile organisations such as Maersk (shipping company) and Merck (pharmaceutical company).

The source of the infection points to the Ukrainian tax software MEDoc and it is suspected that a threat actor, according to Ukraine's cyber-cops, managed to compromise MEDoc’s software updates. Updates were then downloaded to multiple sites across Ukraine and subsequent infections caused it to spread. These sites took the biggest infection hit with a whopping 80% being infected.

ALERT: You have a virus!

At first glance the malware seemed like just another ransomware attack; however evidence suggests that this malware was designed to create havoc and destruction, a behaviour observed in a computer virus. Although the malware requested a ransom of $300, the mechanism of collection was flawed. Victims were asked to pay the ransom to a Posteo email address which was instantly shut down, and it now seems apparent that Petya was never designed to collect money but to destroy data.

Analysis of Petya’s code shows the virus using a 128-bit AES encryption key to lock down files, which is protected by a public 2048-bit RSA key. Once activated it performs a network scan to discover targets that are then exploited with EternalBlue or EternalRomance and also picks up administrator credentials by scanning internal RAM. Subsequently a system reboot is initiated and upon restarting it flashes the screen with what appears to be a disk check operation. As some suggest, at this point victims could have still prevented the attack by turning off the power to their machine and recovering the data. However, the truth is that taking this action alone would not suffice.

The other evidence that reveals the true nature of Petya is the types of files it encrypts. According to The Register, only 65 file types are encrypted as opposed to the hundreds encrypted by the original Petya outbreak. Amongst targeted file types were archived files, excel spreadsheets, source code files and even Python files. Notably and perhaps surprisingly, it didn’t target image files such as PNG, which are generally of higher value for normal victims.

Time to Vaccinate

Security researcher Amit Serper discovered that computers can be vaccinated against Petya and therefore prevent activation of the malware, but it can’t prevent the spread within a vulnerable network. 

Creating a read-only file named “perfc” (with no extension) within the “C:\Windows\” directory will prevent Petya activating, however this would require application to every single machine in the estate.

Another State-Sponsored Attack

There is no smoking gun or hard evidence to point fingers, however these recent cyber-attacks coincide with Ukraine’s post-soviet independence day which suggests Ukraine was the prime target. 

Roman Boyarchuk, the head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection said "This is definitely not criminal. It is more likely state-sponsored". Ukrainians officials are pointing fingers at Russia with Boyarchuk stating "It’s difficult to imagine anyone else would want to do this,"

Patching Patching Patching!

We have seen two major attacks in recent weeks and the penetration techniques used by both utilize the same methods, yet both attacks were highly successful. This again takes us back to the same question; are we ready to fight this war? Now our eyes have been opened, patching must be a key part of the security strategy. Petya, like WannaCry, simply did not have to happen but simultaneously, could this be the wakeup call we need?

New Call-to-action

Chris Galazka Technical Consultant, Infinigate UK
Posted by Chris Galazka
Technical Consultant, Infinigate UK
View LinkedIn profile


Share via:


Subscribe to VSEC Blog Updates

Popular Posts