Notpetya – The Petya variant used in the massive attack is a wiper disguised by a ransomware

Pierluigi Paganini June 29, 2017

According to the researchers, the Petya variant (NotPetya) used in the massive attack is a wiper disguised by a ransomware.

In these hours the massive global attack based on Petya variant made the headlines, computers in many countries were infected, including Russia, Ukraine, France, India and the US.

A new analysis conducted on the ransomware reveals the threat was designed to look like ransomware but was wiper malware designed for sabotage purpose.

Researchers Matt Suiche, founder at Comae Technologies, explained that the analysis conducted by his team on Petya samples used in the attack revealed its wiper capabilities.

“we noticed that the current implementation that massively infected multiple entities in Ukraine was in fact a wiper which just trashed the 24 first sector blocks of the disk while replicating itself. Some noted that this was mainly slack space as only the first sector is relevant for most of machines — except few exceptions. ” states the analysis published by Comae Technologies.

“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

petya massive ransomware-attack

Attackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.

Experts from Kaspersky’s conducted a similar research that led to a similar conclusion.

Unlike other ransomware, Petya does not encrypt files on the infected systems but targets the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable.

Petya locks the access to the users’ data by encrypting the master file table (MFT) and replaces the computer’s MBR with its own malicious code that displays the ransom note.

Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

More than 40 victims already paid the ransom to restore the files, but unfortunately, they would not.

Experts from Kaspersky Lab that have analyzed the encryption routine, discovered that to decrypt the files, the threat actors need the installation ID, unfortunately, he NotPetya does not have it.

The email account set-up by the hackers to communicate with victims and send decryption keys was blocked by the German mail provider Posteo after the outbreak.

“According to an update seen in Motherboard, German e-mail provider Posteo has shut down the e-mail address that victims were supposed to use to contact blackmailers and send bitcoins, and from which they would receive decryption keys. With the e-mail address blocked, victims won’t be able to pay the criminals or get their files back. At Kaspersky Lab, we do not advocate paying the ransom anyway, but in this case, it’s certainly pointless.” states a blog post published by Kaspersky.

“Kaspersky Lab researchers have analyzed the high-level code of the encryption routine and determined that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery.

ExPetr (aka NotPetya) does not have that installation ID (the ‘installation key’ shown in the ExPetr ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.”

Summarizing the new variant of Petya analyzed in the massive attack was developed for sabotage, it is a destructive malware.

According to experts from Cisco Talos Intelligence and Microsoft, the infection started in Ukraine, where local firm named MeDoc was targeted by attackers.  Researchers believe that hackers infected software update to a Ukrainian tax accounting system called MeDoc, but MeDoc denies the allegations.

“At the time of updating the program, the system could not be infected with the virus directly from the update file,” translated version of MeDoc post reads. “We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program.”

However, several security researchers and even Microsoft agreed with Talo’s finding, saying MeDoc was breached and the virus was spread via updates.

“Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. ” states Microsoft.

According to Microsoft, the new Petya variant implements multiple lateral movement techniques in order to compromise entire networks  once infected a first machine.

The ransomware spreading functionality is composed of multiple methods responsible for:

  • stealing credentials or re-using existing active sessions
  • using file-shares to transfer the malicious file across machines on the same network
  • using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

Microsoft published a detailed analysis that includes also the IoCs.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Petya ransomware, wiper)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment