As research into NotPetya/ExPetr continues, this post provides a summary of the latest findings from our research and updated advice for best protecting your organization.
What we know so far
Based on our research, we assess that although the malware variants observed in the attack on 27th June, 2017 share some code similarities with the Petya / GoldenEye ransomware, there are also sufficient differences that lead us to conclude that the malware was in fact a variant of Petya / GoldenEye and is currently referred to by various security vendors as NotPetya / Petna / ExPetr.
Some fundamental capabilities of the NotPetya / Petna / ExPetr include:
- Overwriting the Master Boot Record (MBR) with a bespoke bootloader similar to that in Petya / GoldenEye variants, which is used to encrypt the Master Files Table (MFT).
- Using bespoke code to encrypt files with the targeted file extensions.
What makes this malware particularly unique is the fact that it has multiple lateral movement capabilities:
- SMBv1 vulnerability – like WannaCry, NotPetya uses the ETERNALBLUE exploit to infect other machines on the local network that are exposed to the CVE-2017-0144 vulnerability. However, NotPetya also uses the ETERNALROMANCE exploit to take advantage of the CVE-2017-0145 vulnerability.
- Credential dumping – the malware also drops a credential dumping tool such as Mimikatz to steal user credentials. The credentials are then used to launch the malware on remote systems via the use of Windows Management Instrumentation Command-line (WMIC) and PsExec. This allows the malware to infect systems that are fully patched and not vulnerable to ETERNALBLUE and ETERNALROMANCE.
Note however that NotPetya only scans for local IP ranges and so unlike WannaCry, NotPetya is not designed to propagate externally.
After paying the ransom, victims are asked to email their bitcoin wallets to the email address email@example.com, in order for the attacker to verify payment. However, this email address was rapidly blocked by the service provider, so victims will be unable to pay to have their systems decrypted.
Based on their global telemetry, various security endpoint providers have been reporting observations. Below is a selection of these observations that we believe companies should be paying particular attention to:
- MeDoc update binary infection: MeDoc is a popular Ukrainian financial document management software. Several providers including Kaspersky, Cisco Talos and Microsoft have reported that the initial delivery of the malware was via an infected MeDoc update binary. This suggests a targeted intent in the delivery of this malware.
- Watering-hole attack: Researchers from Kaspersky have also reported they saw NotPetya delivered via a watering hole bahmut[.]com.ua/news/. If verified, this would further support the targeted attack hypothesis.
- Wiper: Researchers from Kaspersky and Comae Technologies have reported that the malware was in fact designed not to decrypt the encrypted systems, as the unique installation ID commonly used by ransomware attackers to decrypt systems does not contain useful information and thus decryption would not have been possible.
Based on the latest observations, we assess with medium confidence that NotPetya is a targeted attack and the attackers attempted to use code and behavior from Petya to disguise the true purpose of this attack.
Specifically, our conclusion is based on the following findings:
- The malware is designed to propagate only within local networks
- The MeDoc software update binary was strategically infected to deliver the malware to organizations operating in Ukraine
- The apparent use of a country specific water-hole attack to act as a secondary delivery mechanism for the malware
- The lack of a scalable method to collect ransom
- The lack of a sufficient and scalable method to decrypt victim systems.