SlideShare a Scribd company logo

NotPetya Report

Download as DOCX, PDF
B
Billy Woody

A presentation of NotPetya and it's impact and history.

Internet
1 of 14
Team NotPetya WalterWhite Laboratories Dec. 2018 1 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Petya/NotPetya Report on Malware Infection 12 / 6 / 2018
Team NotPetya WalterWhite Laboratories Dec. 2018 2 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 TOC / Introduction This document is designed to summarize our analysis of NotPetya and offer forward thinking solutions to counter similar attacks in the future. This document will cover the following areas: ● Executive Summary ● Characteristics ● Static Analysis ○ Synopsis of Executable ○ Other Key Points ○ Timeline ○ Initial Behavior ● Dynamic Analysis ○ Process Environment ○ Network Activity ○ Filesystem Modifications ● Containment Strategy ○ Scope ○ Severity ○ Solution ● Awareness Training ○ Identification ○ Quarantine and Response ○ Escalation ● Summary
Team NotPetya WalterWhite Laboratories Dec. 2018 3 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 /EXECUTIVE SUMMARY SEVERITY VICTIMS ATTACKERS HIGH worldwide – companies Unknown A new malware variant – called Petya/NotPetya – started to disabled several critical systems on Tuesday, 27th of June 2017 in Ukraine, Russia, Denmark, France, the UK, the USA, Belgium and multiple other countries. While originally thought to be a ransomware-only malware, after technical analysis it became clear that it had more functionality than standard ransomware with more intent on destruction of data. While this string of malware does encrypt files, it also inflicts unrepairable damage to the system and was built in a way that decryption would not be possible. Multiple sources , including the US government’s Homeland Security, state that NotPetya’s primary goal was destruction of both data and data systems. The malware spreads through a well-known vulnerability in the Windows SMB-protocol, combined with the usage of internal Windows toolkits (WMIC, PsExec) and the theft of credentials. Once infected the computer will no longer boot and the vast majority of all files on the drive have been encrypted. Upon attempted startup of the system the user will be presented with a message on the screen informing the user that the systems’ files are encrypted and cannot be decrypted unless a decryption key is purchased for $300. Upon payment of the $300 ransom, the malware writer claims that the decryption key will be sent. It is believed that the initial infection involves the automatic update of the accounting software ‘MEDoc’, a company based in the Ukraine. The update was contaminated with the malware Petya/NotPetya and spread quickly throughout several networks of the Ukrainian government and the logistics company Maersk.
Team NotPetya WalterWhite Laboratories Dec. 2018 4 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Screen grab of the ransom note. The malware spread through the internal networks of Maersk, which is an international company and thus was able to begin to cross country’s borders. The malware was spreading using the same vulnerabilities in the SMB-protocol which were also used in the WannaCry campaign. Companies that had not patched these vulnerabilities were vulnerable. In addition, the Petya/NotPetya malware contains several other methods – including the theft of credentials – to infect systems internally other than just the SMB- vulnerability, which means that only patching is not sufficient. Along with Walter White Laboratories, other companies that were infected and had substantial financial loss were FedEx, Merck, WPP, DLA Piper, Nuance Communications, Beirsdorf, Maersk, Saint Gobain as well as many other smaller companies.
Team NotPetya WalterWhite Laboratories Dec. 2018 5 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 TECHNICAL OVERVIEW Characteristics This particular string of malware closely resembles the Petya malware of 2016, but has some distinctive differences: ● The infection vector does not involve phishing, but the MEDoc application; ● The distribution methods are the SMB-vulnerabilities, legitimate Windows tools and Mimikatz; ● Fake digitally signed software is used; o XOR encrypted shell code is used in malware load to bypass AV signatures; ● A specific behavior can be observed on domain controllers and servers; this malware attempts to activate a function ‘DhcpEnumSubnets ()' to retrieve all DHCP subnet before a scan is made to tcp / 139 and tcp / 445 services; ● There is an unconfirmed ‘killswitch’ in the malware that can be activated by creating an 'read only file called 'perfc' under the % Windows% install folder. However, this will not prevent malware from spreading itself; ● There is no evidence for communication to an external communication and control server. Static Analysis Synopsis of Executable Although initially labeled as ransomware due to the ransom message that is displayed after infection, it appears now that NotPetya functions more as a destructive wiper-like tool than actual ransomware. Initially, analysis showed many similarities with Petya ransomware samples from 2016, but further research indicated the malware had been modified to cause data destruction. NotPetya overwrites sectors of the physical hard drive and C: volume, but does not contain the ability to restore the files, rendering recovery impossible even if the ransom is paid. Using the Windows API DeviceIoControl, the malware is able to obtain direct read and write access to the physical hard drive, without interaction with the operating system (provided it has the proper administrative permissions). This allows the code to determine the number of disks and partitions on the system, unmount a
Team NotPetya WalterWhite Laboratories Dec. 2018 6 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 mounted volume (even if in use), and determine the drive geometry for the drives on the system (i.e., the number of sectors, bytes per sector, etc.). The malware uses this access to destroy data critical to the operating system. NotPetya also has the ability to replace the OS bootloader with custom code embedded in the binary. Other Key Points ● NotPetya is a 27kb malware DLL (dynamic-link library) that is launched using rundll32.exe ● PE32 executable (DLL) (console) Intel 80386, for MS Windows ● Compilation date: Tuesday, 27th of June 2017 Timeline ● June 27, 2017 - 05:00 - 06:00 EDT - First signs of attack emerge on Twitter in a post about a Ukrainian power distributor being hacked ● June 27, 2017 - 08:00 EDT - Symantec confirms that Petya is responsible for the attack ● June 27, 2017 - 10:00 EDT - Kaspersky Lab tweets a statement clarifying that the ransomware is not a variant of Petya but is a new ransomware named NotPetya. They also announce that at least 2000 organization had already been infected at the time of the tweet. ● June 27, 2017 - 12:00 EDT - Ukraine police announce that MeDoc, and accounting software used by many Ukrainians to pay their taxes was the NotPetya vector point. ● June 27, 2017 - 13:00 EDT - Security officials begin to announce methods to avoid the attack. ● June 28, 2017 - 05:00 EDT - It is announced that those who decided to pay the ransom are not getting their files back.
Team NotPetya WalterWhite Laboratories Dec. 2018 7 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Initial Behavior The table below summarizes the initial activity generated by the sample upon upload to Any.Run. Behavior Once Active Once installed, NotPetya does several things: ● It runs Mischa, a component of an earlier variant of the Petya ransomware, and encrypts individual files ● It reboots the system and encrypts the MFT (master file table) and renders the Master Boot Record (MBR) inoperable. It also overwrites the MBR with a file that displays the ransom note, which renders the system unable to boot. Activity Type Count HTTP Requests N/A DNS Requests N/A Connections RAW UDPdata Files Changed MBR Dynamic Analysis The test results were generated by executing the malware on Any.Run’s hosted platform. What is EternalBlue? The EternalBlue vulnerability, CVE-2017-0144, targets the Microsoft Windows Server Message Block (SMB) protocol and allows attackers to execute arbitrary code. A fix was issued in March 2017 by Microsoft. Process Environment The malware runs as admin, after successfully getting admin access to the machine the malware then encrypts the master boot record making the infected windows computers unusable. NotPetya having admin privileges allows it to harvest user credentials from the infected host then uses those credentials to connect to other systems on the network, spreading the malware like a worm. Only takes one infected machine in an organization to take down all systems in the network.
Team NotPetya WalterWhite Laboratories Dec. 2018 8 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 NotPetya executable/loader fingerprints ● MD5: 71b6a493388e7d0b40c83ce903bc6b04 ● SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d ● SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 Indicators of suspicious activity: The malware first shows signs of suspicious activity when it decompresses its resource named 0x3 of type RT_RCDATA contents to C:Windowsdllhost.dat. Analysis of dllhost.dat shows that it is a copy of the PsExec utility, which is a telnet replacement that allows execution of process on other systems on the LAN. Then it forces the computer to reboot. Network Activity While monitoring the network traffic after running NotPetya executable, The malware does not make any DNS requests or HTTP requests. Instead it creates a RAW UDP data flow tp 192.168.100.140 (attackers CNC) from our localhost (VM) established on port:137 The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above. After initial infection, the malware tries to move laterally by using following techniques: ● The theft of username / password combinations using a variant of Mimikatz; ● The reuse of active SMB sessions; ● The usage of shared folders to spread the ransomware through the network using WMIC and PsExec; ● The usage of the known SMBv1 vulnerabilities EternalBlue and EternalRomance2. A network scan is made: ● The malware enumerates all network adapters and all possible server names via NetBIOS; ● Enumerates the DHCP addresses used, if available;
Team NotPetya WalterWhite Laboratories Dec. 2018 9 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 ● Also uses the local ARP cache; ● Each network address on the local network is checked for open TCP ports, specifically SMB ports 445 and 139. Machines that have these ports open are then attacked using one of the methods described above.
Team NotPetya WalterWhite Laboratories Dec. 2018 10 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Filesystem Modifications Based on the information from the Any.run report, the rundll32.exe executes commands and overwrites the data. The file system modifications are the changes to be performed by a generated package during its deployment to the file system on a target PC. Those changes can include files and folders creation or deletion, file content modification and shortcuts creation. In the case of NotPetya, rundll32.exe looks normal but the malware is disguised as a normal Windows application and then “encrypts” the data to hold it for “ransom.” Once the user reboots the computer or the system goes black, the information is pretty much gone. Containment Strategy Scope The malware aims to obtain user credentials via Mimikatz tools and once it obtains administrative credentials, it will start to spread itself. It can jump to other devices that are vulnerable and instead of holding people’s information and data like ransomware, it would wipe the information, thus users would lose money and wouldn’t get anything back. The malware specifically targeted Windows computers in June 2017 in the following countries: Ukraine, Russia, Denmark, France, the UK, the USA, Belgium and others, dubbing it the “worst cybersecurity attack in history”. These Window computers did not have software updates and did not have the latest patches, thus making them vulnerable to the attack and showing how the we are universally not up to standard. Computers that ran Windows 10 were not as affected and even if they were, the improved security measures prevented the malware from spreading to other systems. The majority of affected operating systems were anything older than that. Companies ranging from 10k employees to even 10-50 employees were affected by this attack and no specific industry was targeted - anyone who was vulnerable with an older Windows OS was a target. Severity In a report created by the White House it was estimated that the damage from NotPetya was more than 10 billion dollars. Pharmaceutical vendor Merck lost around 670 million dollars and FedEx lost around 450 million dollars. Consumer Products vendor Reckitt Benckiser lost around 100 million dollars and snack maker Mondelez International had loses exceeding 150 million dollars. Merck also had to replace 45000 computers that were infected with the virus.
Team NotPetya WalterWhite Laboratories Dec. 2018 11 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Other companies around the world that lost large amounts of money due to NotPetya are: Nuance Communications, Beirsdorf, Maersk, Saint Gobain, as well as many other smaller companies that lost less but were equally as devastating if not more so because of their size and limited resources. Tom Bossert, the current head of Homeland Security at the time of the discovery of NotPetya confirmed the estimates of the damage and the potential source. It is believed that the the Russian government, in an attempt to destabilize the Ukraine, unleashed the ransomware on the unsuspecting global network and the unforeseen consequences were devastating worldwide. In the end it is far cheaper to just replace infected computers than it is to run the risk of infection again. Solution First and foremost the best solution is a backup strategy that follows the 3-2-1 backup rules. There should be at least 3 copies of all data. Two copies are on different media types. This can be hard drive, tape backup, or any other medium that is stored off the network. Keep at least one copy stored off-site in the event of physical data loss in the location the other copies reside. Maintaining a backup schedule that limits the amount of data lost between backups. For example, should the backups run continuously on one media and then a full backup at midnight. Below is a list of other steps that can be taken to help mitigate the potential of attack. ● Don’t pay the ransom because it’s too late! Once the attack commences, the user’s information is wiped from the infected system. In previous versions of “similar” ransomware, the installation ID contained crucial information for the key recovery. NotPetya’s ID is randomly generated, and the single email listed on the ransom screen was quickly killed. ● Ensure your system is patched according to the latest security updates. (Specifically, Microsoft Security Patch MS17-010). Windows 10 contains security measures that can prevent other systems from being infected. ● Take away any local administrator rights of regular users. ● Watch out for the creation of new scheduled tasks via EventId 106 for the following tasks: ○ ‘schtasks /Create /SC once /TN “” /TR “shutdown.exe /r /f” /ST ’ ○ ‘cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR’ ○ ‘C:Windowssystem32shutdown.exe /r /f” /ST ’.
Team NotPetya WalterWhite Laboratories Dec. 2018 12 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 ● Block the execution of ‘PsExec’ and ‘perfc.dat’ files through Applocker or a similar tool. Make sure your AV / IDS / IPS rule set is up-to-date. ● Enforce a backup strategy and test it. ● Comply with the traditional security methods against Ransomware. ● Consider following SMB restrictions. ● Ensure that Windows SMB services (typically TCP port 445) are not directly connected to the internet. ● Consider blocking entering external traffic on port 445. ● Consider disabling SMBv1 in your network. ● Monitor the internal network specifically on anomalies in management traffic. Awareness Training Identification Once infected it is too late. Hopefully you will have a solid backup plan in place. If you are lucky enough to be warned before the malware takes over, look for the following: ● Rundll32.exe running in the Windows Task Manager ● System shutdown for reboot on it’s own If the system shuts down and begins the reboot process, the MBR (Master Boot Record) has been encrypted and the fake disk repair screen will appear showing the progress of the local disk files being encrypted. Following completion of the encryption, you will be presented with a black screen filled with red text demanding money. Escalation A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC. If any indication of the malware is discovered, the computer must be immediately shut off and not rebooted. The security team must be contacted immediately and steps can be taken to protect the remaining systems on the network as the malware will have already made attempts to propagate. After notifying the IT/Security team right away, you should next contact your direct manager right away! Your direct manager will most likely inform the Corporate Management team to make them aware of what be a potentially major issue.
Team NotPetya WalterWhite Laboratories Dec. 2018 13 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Organize a meeting with officers to decide on the cost benefit analysis of keeping the drives in the event a decryption method is found in the future. The encrypted drives will need to be labeled and stored for a potential decryption in the event flaws in the malware code are expanded. If proper backups are available, the drives can be overwritten to save labor, storage and cost of new hardware. Quarantine and Response If the extra rundll32.exe file is present as mentioned above in the Identification section; power off the PC and do not turn it back on again. It was found that it may be possible to stop the encryption process if an infected computer is immediately shut down when the fictitious chkdsk screen appears, and a security analyst proposed that creating read-only files named perf.c and/or perfc.dat in the Windows installation directory could prevent the payload of the current strain from executing. Remove the computer from the internal network and isolate it so that infection to other machines is not possible. While the most secure method to remove NotPetya is to replace the hard drive and reinstall from a backup, reinstalling Windows will remove NotPetya from the system. This again is assuming the malware has not evolved into a new variant that stores its executables outside of the typical Windows install. In the event that the encryption has begun, the computer must still be powered off, as this will halt the process and leave the unaffected data available for retrieval. If this is the case the hard drive must be replaced as it is no longer able to be used safely. For NotPetya, the ID shown in the ransom screen is random data and therefore even payment to the threat actor will not resolve the attack. If AI engines are available, the security team will be able to update the rules to successfully detect elements of the infection and propagation. In addition to the above, a robust anti-malware suite with embedded anti-ransomware protection should be part of all of the systems, including any remote systems or laptops used by the sales team in the field. Update Microsoft Windows and all third party software. Ensure comprehensive cybersecurity training for all personnel that perform any work on the computers within the company. This training should include how to identify phishing emails, social data gathering, and instructions on routine backup techniques with an emphasis on data validation.
Team NotPetya WalterWhite Laboratories Dec. 2018 14 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Summary NotPetya represents the evolution of cybersecurity attacks not just in terms of the methodology used, but in the intent. NotPetya combines ransomware with the ability to propagate itself across a network. Built upon a relatively unsuccessful ransomware (Petya), the malware binary tries to extract logins and passwords of users with the effort of lateral movement through a local network if administrative credentials are gained. The second function of NotPetya is to make irreversible modifications to the Master Boot Record and then force a reboot of the system at which point a disk repair message is displayed. This disk repair is in reality, the attack of the fixed drives on the system, encrypting all the files.

Recommended

NotPetya Presentation
NotPetya PresentationNotPetya Presentation
NotPetya Presentation
Kimme Buranasombati
 
Full report final for NotPetya
Full report final for NotPetyaFull report final for NotPetya
Full report final for NotPetya
Kimme Buranasombati
 
Maersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case Study
Charlie Pownall
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 

Recommended

NotPetya Presentation
NotPetya PresentationNotPetya Presentation
NotPetya Presentation
Kimme Buranasombati
 
Full report final for NotPetya
Full report final for NotPetyaFull report final for NotPetya
Full report final for NotPetya
Kimme Buranasombati
 
Maersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case Study
Charlie Pownall
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
Texas Medical Liability Trust
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
Datto
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
Noushad Hasan
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
Guido Marchetti
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
Umesh Mahawar
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
Japneet Singh
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
Condition Zebra (CONZebra)
 

More Related Content

What's hot

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 

What's hot (20)

Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Cloud security
Cloud securityCloud security
Cloud security
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Wannacry
WannacryWannacry
Wannacry
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 

Similar to NotPetya Report

The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
Kaspersky
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 

Similar to NotPetya Report (20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
 
RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014
 
Malware Freak Show
Malware Freak ShowMalware Freak Show
Malware Freak Show
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Quick heal threat_report_q3_2016
Quick heal threat_report_q3_2016Quick heal threat_report_q3_2016
Quick heal threat_report_q3_2016
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Open Source Insight: NotPetya Strikes, Patching Is Vital for Risk Management
Open Source Insight: NotPetya Strikes, Patching Is Vital for Risk ManagementOpen Source Insight: NotPetya Strikes, Patching Is Vital for Risk Management
Open Source Insight: NotPetya Strikes, Patching Is Vital for Risk Management
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 

Recently uploaded

一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
AS
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
musaddumba454
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
AS
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
AS
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
B
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
A
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
AS
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
hfkmxufye
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 

Recently uploaded (20)

TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
原版定制(LBS毕业证书)英国伦敦商学院毕业证原件一模一样
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 

NotPetya Report

  • 1. Team NotPetya WalterWhite Laboratories Dec. 2018 1 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Petya/NotPetya Report on Malware Infection 12 / 6 / 2018
  • 2. Team NotPetya WalterWhite Laboratories Dec. 2018 2 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 TOC / Introduction This document is designed to summarize our analysis of NotPetya and offer forward thinking solutions to counter similar attacks in the future. This document will cover the following areas: ● Executive Summary ● Characteristics ● Static Analysis ○ Synopsis of Executable ○ Other Key Points ○ Timeline ○ Initial Behavior ● Dynamic Analysis ○ Process Environment ○ Network Activity ○ Filesystem Modifications ● Containment Strategy ○ Scope ○ Severity ○ Solution ● Awareness Training ○ Identification ○ Quarantine and Response ○ Escalation ● Summary
  • 3. Team NotPetya WalterWhite Laboratories Dec. 2018 3 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 /EXECUTIVE SUMMARY SEVERITY VICTIMS ATTACKERS HIGH worldwide – companies Unknown A new malware variant – called Petya/NotPetya – started to disabled several critical systems on Tuesday, 27th of June 2017 in Ukraine, Russia, Denmark, France, the UK, the USA, Belgium and multiple other countries. While originally thought to be a ransomware-only malware, after technical analysis it became clear that it had more functionality than standard ransomware with more intent on destruction of data. While this string of malware does encrypt files, it also inflicts unrepairable damage to the system and was built in a way that decryption would not be possible. Multiple sources , including the US government’s Homeland Security, state that NotPetya’s primary goal was destruction of both data and data systems. The malware spreads through a well-known vulnerability in the Windows SMB-protocol, combined with the usage of internal Windows toolkits (WMIC, PsExec) and the theft of credentials. Once infected the computer will no longer boot and the vast majority of all files on the drive have been encrypted. Upon attempted startup of the system the user will be presented with a message on the screen informing the user that the systems’ files are encrypted and cannot be decrypted unless a decryption key is purchased for $300. Upon payment of the $300 ransom, the malware writer claims that the decryption key will be sent. It is believed that the initial infection involves the automatic update of the accounting software ‘MEDoc’, a company based in the Ukraine. The update was contaminated with the malware Petya/NotPetya and spread quickly throughout several networks of the Ukrainian government and the logistics company Maersk.
  • 4. Team NotPetya WalterWhite Laboratories Dec. 2018 4 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Screen grab of the ransom note. The malware spread through the internal networks of Maersk, which is an international company and thus was able to begin to cross country’s borders. The malware was spreading using the same vulnerabilities in the SMB-protocol which were also used in the WannaCry campaign. Companies that had not patched these vulnerabilities were vulnerable. In addition, the Petya/NotPetya malware contains several other methods – including the theft of credentials – to infect systems internally other than just the SMB- vulnerability, which means that only patching is not sufficient. Along with Walter White Laboratories, other companies that were infected and had substantial financial loss were FedEx, Merck, WPP, DLA Piper, Nuance Communications, Beirsdorf, Maersk, Saint Gobain as well as many other smaller companies.
  • 5. Team NotPetya WalterWhite Laboratories Dec. 2018 5 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 TECHNICAL OVERVIEW Characteristics This particular string of malware closely resembles the Petya malware of 2016, but has some distinctive differences: ● The infection vector does not involve phishing, but the MEDoc application; ● The distribution methods are the SMB-vulnerabilities, legitimate Windows tools and Mimikatz; ● Fake digitally signed software is used; o XOR encrypted shell code is used in malware load to bypass AV signatures; ● A specific behavior can be observed on domain controllers and servers; this malware attempts to activate a function ‘DhcpEnumSubnets ()' to retrieve all DHCP subnet before a scan is made to tcp / 139 and tcp / 445 services; ● There is an unconfirmed ‘killswitch’ in the malware that can be activated by creating an 'read only file called 'perfc' under the % Windows% install folder. However, this will not prevent malware from spreading itself; ● There is no evidence for communication to an external communication and control server. Static Analysis Synopsis of Executable Although initially labeled as ransomware due to the ransom message that is displayed after infection, it appears now that NotPetya functions more as a destructive wiper-like tool than actual ransomware. Initially, analysis showed many similarities with Petya ransomware samples from 2016, but further research indicated the malware had been modified to cause data destruction. NotPetya overwrites sectors of the physical hard drive and C: volume, but does not contain the ability to restore the files, rendering recovery impossible even if the ransom is paid. Using the Windows API DeviceIoControl, the malware is able to obtain direct read and write access to the physical hard drive, without interaction with the operating system (provided it has the proper administrative permissions). This allows the code to determine the number of disks and partitions on the system, unmount a
  • 6. Team NotPetya WalterWhite Laboratories Dec. 2018 6 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 mounted volume (even if in use), and determine the drive geometry for the drives on the system (i.e., the number of sectors, bytes per sector, etc.). The malware uses this access to destroy data critical to the operating system. NotPetya also has the ability to replace the OS bootloader with custom code embedded in the binary. Other Key Points ● NotPetya is a 27kb malware DLL (dynamic-link library) that is launched using rundll32.exe ● PE32 executable (DLL) (console) Intel 80386, for MS Windows ● Compilation date: Tuesday, 27th of June 2017 Timeline ● June 27, 2017 - 05:00 - 06:00 EDT - First signs of attack emerge on Twitter in a post about a Ukrainian power distributor being hacked ● June 27, 2017 - 08:00 EDT - Symantec confirms that Petya is responsible for the attack ● June 27, 2017 - 10:00 EDT - Kaspersky Lab tweets a statement clarifying that the ransomware is not a variant of Petya but is a new ransomware named NotPetya. They also announce that at least 2000 organization had already been infected at the time of the tweet. ● June 27, 2017 - 12:00 EDT - Ukraine police announce that MeDoc, and accounting software used by many Ukrainians to pay their taxes was the NotPetya vector point. ● June 27, 2017 - 13:00 EDT - Security officials begin to announce methods to avoid the attack. ● June 28, 2017 - 05:00 EDT - It is announced that those who decided to pay the ransom are not getting their files back.
  • 7. Team NotPetya WalterWhite Laboratories Dec. 2018 7 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Initial Behavior The table below summarizes the initial activity generated by the sample upon upload to Any.Run. Behavior Once Active Once installed, NotPetya does several things: ● It runs Mischa, a component of an earlier variant of the Petya ransomware, and encrypts individual files ● It reboots the system and encrypts the MFT (master file table) and renders the Master Boot Record (MBR) inoperable. It also overwrites the MBR with a file that displays the ransom note, which renders the system unable to boot. Activity Type Count HTTP Requests N/A DNS Requests N/A Connections RAW UDPdata Files Changed MBR Dynamic Analysis The test results were generated by executing the malware on Any.Run’s hosted platform. What is EternalBlue? The EternalBlue vulnerability, CVE-2017-0144, targets the Microsoft Windows Server Message Block (SMB) protocol and allows attackers to execute arbitrary code. A fix was issued in March 2017 by Microsoft. Process Environment The malware runs as admin, after successfully getting admin access to the machine the malware then encrypts the master boot record making the infected windows computers unusable. NotPetya having admin privileges allows it to harvest user credentials from the infected host then uses those credentials to connect to other systems on the network, spreading the malware like a worm. Only takes one infected machine in an organization to take down all systems in the network.
  • 8. Team NotPetya WalterWhite Laboratories Dec. 2018 8 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 NotPetya executable/loader fingerprints ● MD5: 71b6a493388e7d0b40c83ce903bc6b04 ● SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d ● SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 Indicators of suspicious activity: The malware first shows signs of suspicious activity when it decompresses its resource named 0x3 of type RT_RCDATA contents to C:Windowsdllhost.dat. Analysis of dllhost.dat shows that it is a copy of the PsExec utility, which is a telnet replacement that allows execution of process on other systems on the LAN. Then it forces the computer to reboot. Network Activity While monitoring the network traffic after running NotPetya executable, The malware does not make any DNS requests or HTTP requests. Instead it creates a RAW UDP data flow tp 192.168.100.140 (attackers CNC) from our localhost (VM) established on port:137 The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above. After initial infection, the malware tries to move laterally by using following techniques: ● The theft of username / password combinations using a variant of Mimikatz; ● The reuse of active SMB sessions; ● The usage of shared folders to spread the ransomware through the network using WMIC and PsExec; ● The usage of the known SMBv1 vulnerabilities EternalBlue and EternalRomance2. A network scan is made: ● The malware enumerates all network adapters and all possible server names via NetBIOS; ● Enumerates the DHCP addresses used, if available;
  • 9. Team NotPetya WalterWhite Laboratories Dec. 2018 9 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 ● Also uses the local ARP cache; ● Each network address on the local network is checked for open TCP ports, specifically SMB ports 445 and 139. Machines that have these ports open are then attacked using one of the methods described above.
  • 10. Team NotPetya WalterWhite Laboratories Dec. 2018 10 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Filesystem Modifications Based on the information from the Any.run report, the rundll32.exe executes commands and overwrites the data. The file system modifications are the changes to be performed by a generated package during its deployment to the file system on a target PC. Those changes can include files and folders creation or deletion, file content modification and shortcuts creation. In the case of NotPetya, rundll32.exe looks normal but the malware is disguised as a normal Windows application and then “encrypts” the data to hold it for “ransom.” Once the user reboots the computer or the system goes black, the information is pretty much gone. Containment Strategy Scope The malware aims to obtain user credentials via Mimikatz tools and once it obtains administrative credentials, it will start to spread itself. It can jump to other devices that are vulnerable and instead of holding people’s information and data like ransomware, it would wipe the information, thus users would lose money and wouldn’t get anything back. The malware specifically targeted Windows computers in June 2017 in the following countries: Ukraine, Russia, Denmark, France, the UK, the USA, Belgium and others, dubbing it the “worst cybersecurity attack in history”. These Window computers did not have software updates and did not have the latest patches, thus making them vulnerable to the attack and showing how the we are universally not up to standard. Computers that ran Windows 10 were not as affected and even if they were, the improved security measures prevented the malware from spreading to other systems. The majority of affected operating systems were anything older than that. Companies ranging from 10k employees to even 10-50 employees were affected by this attack and no specific industry was targeted - anyone who was vulnerable with an older Windows OS was a target. Severity In a report created by the White House it was estimated that the damage from NotPetya was more than 10 billion dollars. Pharmaceutical vendor Merck lost around 670 million dollars and FedEx lost around 450 million dollars. Consumer Products vendor Reckitt Benckiser lost around 100 million dollars and snack maker Mondelez International had loses exceeding 150 million dollars. Merck also had to replace 45000 computers that were infected with the virus.
  • 11. Team NotPetya WalterWhite Laboratories Dec. 2018 11 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Other companies around the world that lost large amounts of money due to NotPetya are: Nuance Communications, Beirsdorf, Maersk, Saint Gobain, as well as many other smaller companies that lost less but were equally as devastating if not more so because of their size and limited resources. Tom Bossert, the current head of Homeland Security at the time of the discovery of NotPetya confirmed the estimates of the damage and the potential source. It is believed that the the Russian government, in an attempt to destabilize the Ukraine, unleashed the ransomware on the unsuspecting global network and the unforeseen consequences were devastating worldwide. In the end it is far cheaper to just replace infected computers than it is to run the risk of infection again. Solution First and foremost the best solution is a backup strategy that follows the 3-2-1 backup rules. There should be at least 3 copies of all data. Two copies are on different media types. This can be hard drive, tape backup, or any other medium that is stored off the network. Keep at least one copy stored off-site in the event of physical data loss in the location the other copies reside. Maintaining a backup schedule that limits the amount of data lost between backups. For example, should the backups run continuously on one media and then a full backup at midnight. Below is a list of other steps that can be taken to help mitigate the potential of attack. ● Don’t pay the ransom because it’s too late! Once the attack commences, the user’s information is wiped from the infected system. In previous versions of “similar” ransomware, the installation ID contained crucial information for the key recovery. NotPetya’s ID is randomly generated, and the single email listed on the ransom screen was quickly killed. ● Ensure your system is patched according to the latest security updates. (Specifically, Microsoft Security Patch MS17-010). Windows 10 contains security measures that can prevent other systems from being infected. ● Take away any local administrator rights of regular users. ● Watch out for the creation of new scheduled tasks via EventId 106 for the following tasks: ○ ‘schtasks /Create /SC once /TN “” /TR “shutdown.exe /r /f” /ST ’ ○ ‘cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR’ ○ ‘C:Windowssystem32shutdown.exe /r /f” /ST ’.
  • 12. Team NotPetya WalterWhite Laboratories Dec. 2018 12 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 ● Block the execution of ‘PsExec’ and ‘perfc.dat’ files through Applocker or a similar tool. Make sure your AV / IDS / IPS rule set is up-to-date. ● Enforce a backup strategy and test it. ● Comply with the traditional security methods against Ransomware. ● Consider following SMB restrictions. ● Ensure that Windows SMB services (typically TCP port 445) are not directly connected to the internet. ● Consider blocking entering external traffic on port 445. ● Consider disabling SMBv1 in your network. ● Monitor the internal network specifically on anomalies in management traffic. Awareness Training Identification Once infected it is too late. Hopefully you will have a solid backup plan in place. If you are lucky enough to be warned before the malware takes over, look for the following: ● Rundll32.exe running in the Windows Task Manager ● System shutdown for reboot on it’s own If the system shuts down and begins the reboot process, the MBR (Master Boot Record) has been encrypted and the fake disk repair screen will appear showing the progress of the local disk files being encrypted. Following completion of the encryption, you will be presented with a black screen filled with red text demanding money. Escalation A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC. If any indication of the malware is discovered, the computer must be immediately shut off and not rebooted. The security team must be contacted immediately and steps can be taken to protect the remaining systems on the network as the malware will have already made attempts to propagate. After notifying the IT/Security team right away, you should next contact your direct manager right away! Your direct manager will most likely inform the Corporate Management team to make them aware of what be a potentially major issue.
  • 13. Team NotPetya WalterWhite Laboratories Dec. 2018 13 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Organize a meeting with officers to decide on the cost benefit analysis of keeping the drives in the event a decryption method is found in the future. The encrypted drives will need to be labeled and stored for a potential decryption in the event flaws in the malware code are expanded. If proper backups are available, the drives can be overwritten to save labor, storage and cost of new hardware. Quarantine and Response If the extra rundll32.exe file is present as mentioned above in the Identification section; power off the PC and do not turn it back on again. It was found that it may be possible to stop the encryption process if an infected computer is immediately shut down when the fictitious chkdsk screen appears, and a security analyst proposed that creating read-only files named perf.c and/or perfc.dat in the Windows installation directory could prevent the payload of the current strain from executing. Remove the computer from the internal network and isolate it so that infection to other machines is not possible. While the most secure method to remove NotPetya is to replace the hard drive and reinstall from a backup, reinstalling Windows will remove NotPetya from the system. This again is assuming the malware has not evolved into a new variant that stores its executables outside of the typical Windows install. In the event that the encryption has begun, the computer must still be powered off, as this will halt the process and leave the unaffected data available for retrieval. If this is the case the hard drive must be replaced as it is no longer able to be used safely. For NotPetya, the ID shown in the ransom screen is random data and therefore even payment to the threat actor will not resolve the attack. If AI engines are available, the security team will be able to update the rules to successfully detect elements of the infection and propagation. In addition to the above, a robust anti-malware suite with embedded anti-ransomware protection should be part of all of the systems, including any remote systems or laptops used by the sales team in the field. Update Microsoft Windows and all third party software. Ensure comprehensive cybersecurity training for all personnel that perform any work on the computers within the company. This training should include how to identify phishing emails, social data gathering, and instructions on routine backup techniques with an emphasis on data validation.
  • 14. Team NotPetya WalterWhite Laboratories Dec. 2018 14 of 14 Team NotPetya WalterWhite Laboratories Dec. 2018 Summary NotPetya represents the evolution of cybersecurity attacks not just in terms of the methodology used, but in the intent. NotPetya combines ransomware with the ability to propagate itself across a network. Built upon a relatively unsuccessful ransomware (Petya), the malware binary tries to extract logins and passwords of users with the effort of lateral movement through a local network if administrative credentials are gained. The second function of NotPetya is to make irreversible modifications to the Master Boot Record and then force a reboot of the system at which point a disk repair message is displayed. This disk repair is in reality, the attack of the fixed drives on the system, encrypting all the files.