Hiding the small movement inside the big movement
Today saw a massive outbreak of not-really ransomware that has caused significant damage to both Ukrainian targets and strategic global logistics companies. The worm uses three different infection vectors:
- ETERNALBLUE
- Harvested password hashes
- psexec
The code is well written, obfuscated to protect against AV detection using at least two techniques:
- Fake Microsoft signature (apparently fools some AV)
- XOR encrypted shellcode payload (to bypass signature checks)
Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)
Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of “send a personal cheque to: Petya Payments, PO Box …”)
The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”
Update: congratulations, it’s a wiper!
Research by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack. The key material displayed as “installation ID” – necessary for decryption in real ransomware – is just random data. There is no possible way to recover the encrypted files as the key is not preserved and given to the user to request a decryption key.
This shows inconsistency & also that the key sent from the MBR can't be used. Can't expect victims to open the raw disk to find README.txt pic.twitter.com/mMUO7KeyOI
— Matt Suiche @ #OPCDE2020 (@msuiche) June 29, 2017
Bug in #Petya's encryption may leave some files damaged and undecryptable. pic.twitter.com/V8agzHocaL
— Ladislav Zezula (@LadislavZezula) June 28, 2017
There are at least three issues (post MBR sector corruption, random garbage installation ID, buggy encryption code) that indicate successful decryption of an infected computer was not a developer priority compared with fast and thorough propagation.
Once is an accident. Twice is a coincidence. Three times is an enemy action. — Goldfinger, by Ian Fleming
This was a straight forward cyber attack with a target space of basically every company that does business in Ukraine.
Seriously, that blast radius is ‘taxable presence in Ukraine.’ I don’t like reading tea leaves, but that isn’t exactly subtle.
— мара-яга (@marasawr) June 27, 2017
https://twitter.com/hasherezade/status/880481111742316545
Worth mentioning that whomever developed Pnyetya had source code to Petya. UPDATE nope, that is incorrect.
My new post on #EternalPetya – proving that the code was indeed patched: https://t.co/5aQ86hLUvq
— hasherezade (@hasherezade) June 30, 2017
Note: Originally this assessment rested on analysis by Matt Suiche regarding the cavalier attitude Pnyetya has towards preserving the sectors after the MBR. However, more recent analysis suggests that this failure to preserve those sectors would not impact the integrity of the system. The foundations for the wiper assessment has thus been moved from “doesn’t preserve post-MBR sectors” to the far more damning “decryption key is random garbage.”
Patient Zero
Seems Ukranian Me-doc (source of #NotPetya infection) just found the problem https://t.co/T4ECWN7jyC
— codelancer (@codelancer) June 27, 2017
was hacked and spreading fake update (malware) with #NotPetya
— codelancer (@codelancer) June 27, 2017
Me-Doc accounting software used by UA companies and government
— codelancer (@codelancer) June 27, 2017
When Sofacy and other APTs tries to infect by spearphising – cybercriminals shows different way how to p0wn the same targets
— codelancer (@codelancer) June 27, 2017
source of UA outbreak. For other countries/companies may be different methods were used. I don't think Rosneft (for example) using Medoc 🙂
— codelancer (@codelancer) June 27, 2017
yes. And Cisco Talos think the same https://t.co/c1VPelumiB
— codelancer (@codelancer) June 27, 2017
Interestingly, it seems that Maersk was also using MeDoc:
Job Application: "Who we are looking for: Experience in SAP R3 & BW/ 1S / MeDoc" https://t.co/VBLHB4g9Kw
— Rickey Gevers (@UID_) June 27, 2017
In fact, everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two approved accounting software packages.) So an attack launched from MeDoc would hit not only Ukraine’s government but many foreign investors and companies.
The MeDoc infection vector has been confirmed by the Ukrainian police.
Кіберполіцією попередньо установлено, що перші вірусні атаки на українські компанії могли виникнути через вразливості ПЗ M.E.doc. pic.twitter.com/MXV7ODtaoM
— Cyberpolice Ukraine (@CyberpoliceUA) June 27, 2017
The immaculate infection
Rosneft, a Russian state controlled company (that does not use MeDoc), was also hit by the worm. They managed to escape practically unscathed, evading all the lateral traversal mechanisms of the worm and simply switching to their backup system. Fortunately, all this without even an interruption to their operations.
http://tass.com/economy/953518
Although there has been talk that the Russian oil sector was also hit, their infinitely superior cybersecurity skills meant that they suffered no downtime or outages. Curious that they were so poorly protected they got infected — especially since they aren’t connected to MeDoc (the initial infection vector) — however they were so well protected they were able to remediate the infection (which didn’t spread… although it can take out 5000 computers in less than 10 minutes.) It’s a miracle!
Rosneft has literally the best security on Earth, apparently. https://t.co/CoGMymFVL0 pic.twitter.com/ZJbTuaFHjI
— мара-яга (@marasawr) June 27, 2017
https://twitter.com/HackingDave/status/879736303922933760
Correct. They modelled it after Petya but it's not actually Petya. I doubt intent was actually ransomware, too easy to close email acct. https://t.co/lBZlVFrbTX
— Kevin Beaumont (@GossiTheDog) June 27, 2017
Email account used by #Petya #NotPetya for ransomware payment closed https://t.co/s4qiQj6wmu
— Kevin Beaumont (@GossiTheDog) June 27, 2017
Petna (yes start calling it that 😬) explicitly targets a Ukrainian software package, mandated by Ukrainian government.
— Kevin Beaumont (@GossiTheDog) June 27, 2017
To quickly stop Petya right now – MS17-010 patch AND blocking ADMIN$ via GPO will stop lateral movement on WMI and PSEXEC.#Petya
— Binary Defense (@Binary_Defense) June 27, 2017
http://tass.com/economy/953518
http://tass.com/economy/953518
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj
— Ukraine / Україна (@Ukraine) June 27, 2017
Vice Prime Minister of Ukraine, Павло Розенко (Pavlo Rozenko) on Facebook. This is what Petya looks like when it's encrypting your drive. pic.twitter.com/RgPtfuWK7p
— @mikko (@mikko) June 27, 2017
We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.
— Maersk (@Maersk) June 27, 2017
http://tass.com/economy/953518
Update:
In addition to known vectors, ExPetr/PetrWrap/Petya was also distributed through a waterhole attack on https://t.co/j9DvYcEgW7
— Costin Raiu (@craiu) June 28, 2017
It is clean – we do not see any attacks at the moment. Most likely it's also targeting visitors geographically (my guess, UA only).
— Costin Raiu (@craiu) June 28, 2017
we haven't observed any exploits so far, only what appears to be a drive-by download pretending to be a Windows update file.
— Costin Raiu (@craiu) June 28, 2017
https://twitter.com/josephfcox/status/880023319419944961
False alarm. Seems unrelated.
In other news
Combined arms cyber operations?
http://tass.com/economy/953518
Does a bear shit in Ukraine?
It doesn’t take a weatherman to know which way the wind blows.
Support more analysis like this.
Thanks to @marasawr for discussion and analysis.
Leave a Reply