Cyber SecTech Wiki
Cyber SecTech Wiki
Cyber SecTech
19
pages
in: Malware, Cyber Attacks, Cyber Crimes, News Events

NotPetya Attack

Sign in to edit

Introduction[]

The NotPetya attack was a unique cyber attack that wreaked havoc around the world in June of 2017. Following shortly after the WannaCry ransomware outbreak, NotPetya started in Ukraine and rapidly spread around the world, but fell short of spreading as wide as WannaCry had done. There were some controversial details regarding NotPetya and its true intentions, and authorities are still investigating the matter.

It used a unique method of infecting patient zero and used three methods of propagating through a network like a computer worm to infect other computers and networks. The outcome of the outbreak resulted in immense financial losses for over 2000 organizations (some being large multi-national organizations) and also demonstrated how individuals and organizations had still not patched their computer systems even after the WannaCry outbreak.

The Outbreak[]

When the malware had initially broke out, victims had immediately assumed it was ransomware because they were presented with a note on their computers stating that their files have been encrypted and that they must pay $300 in Bitcoin in order to decrypt their files. The outbreak started in Ukraine when a tax filing software called MEDoc, which is used by a large number of businesses in Ukraine, received infected updates [1]. The attackers were believed to have hacked into the software company's servers that hosted the updates and embedded malware into the updates. When organizations using the software received the updates and installed them, they ended up installing NotPetya as well. The MEDoc software company still denies being the source of the outbreak but several reputable security sources claim to have evidence proving they were the source [2].

Once the malware was installed, it began spreading through networks scanning and and infecting other computers that were vulnerable or that it was able to break into. Because the message displayed a ransom note and stating that files had been encrypted and a payment in Bitcoin needs to be made in order to decrypt the files. Early analysis found NotPetya to have similar code structure and behavior to that of the Petya ransomware of 2016, and therefore was believed to be a revival of Petya. Some of the countries affected by NotPetya were Ukraine, Russia, Germany, France, United Kingdom, Norway, Denmark, and the United States.

Roughly one week after the outbreak, research found that the malware was not the same as Petya (hence became known as NotPetya) and was a lot more severe than traditional ransomware. The reason being is that it did not appear to encrypt the master boot record (MBR) but overwrite it with the attacker's own MBR which encrypted the files through the master file table (MFT) and displayed the ransom note [3]. With no access to the MBR, the user cannot access the operating system on their computer and therefore cannot use the computer. Given that the MBR was overwritten, some researchers claim there was no method in the malware to restore the MBR back to normal nor did it keep a copy of the original MBR or even have a decryption method for those that paid the ransom. This effectively classified NotPetya as being a wiper and not a ransomware. However there were some cases where the MBR could be recovered via the repair feature on the Windows bootable CD.

How it Works[]

Spreading Through the Network[]

Once installed on a computer, NotPetya will begin running one of three methods to propagate through the network [4]. It will first make use of EternalBlue/EternalRomance and try exploit any computers still vulnerable to the Server Message Block (SMBv1) exploit. Even after the WannaCry outbreak which leveraged the same vulnerabilities to spread across networks, a significant number of organizations still did not patch their systems against this vulnerability. This helped NotPetya spread at a similarly successful rate as WannaCry, affecting around 65 countries [5].

If it cannot exploit the EternalBlue vulnerability it has PsExec embedded inside it. PsExec is a Windows remote execution tool that cyber criminals can use to remotely install applications onto computers but also move around on networks. In order for this method to be successful, the infected computer must have administrative privileges.

Once a computer is infected, the malware will remain dormant for about 10 to 60 minutes before forcing a system restart. The computer will begin to start up normally and the CHKDSK will appear to be running as normal (this is a utility that checks the integrity of hard disks when a computer starts up) [6]. However while this process appears to be running, NotPetya is in fact busy encrypting your files. It's theorized that pulling the plug out during this process may save a lot of files from being encrypted.

!!PAGE STILL IN PROGRESS!!

References[]

  1. https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack
  2. http://www.bbc.com/news/technology-40428967
  3. https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/
  4. https://www.helpnetsecurity.com/2017/06/28/notpetya-outbreak/
  5. https://www.druva.com/blog/ransomware-wipeware-how-notpetya-is-changing-threat-landscape/
  6. https://neosmart.net/wiki/chkdsk/
Community content is available under CC-BY-SA unless otherwise noted.