Full report final for NotPetya

Team NotPetya WalterWhite Laboratories Dec. 2018
1 of 14
Petya/NotPetya
Report on Malware Infection
12 / 6 / 2018

2 of 14
TOC / Introduction
This document is designed to summarize our analysis of NotPetya and offer forward thinking
solutions to counter similar attacks in the future.
This document will cover the following areas:
● Executive Summary
● Characteristics
● Static Analysis
○ Synopsis of Executable
○ Other Key Points
○ Timeline
○ Initial Behavior
● Dynamic Analysis
○ Process Environment
○ Network Activity
○ Filesystem Modifications
● Containment Strategy
○ Scope
○ Severity
○ Solution
● Awareness Training
○ Identification
○ Quarantine and Response
○ Escalation
● Summary

3 of 14
/EXECUTIVE SUMMARY
SEVERITY VICTIMS ATTACKERS
HIGH worldwide – companies Unknown
A new malware variant – called Petya/NotPetya – started to disabled several
critical systems on Tuesday, 27th of June 2017 in Ukraine, Russia, Denmark, France,
the UK, the USA, Belgium and multiple other countries. While originally thought to be a
ransomware-only malware, after technical analysis it became clear that it had more
functionality than standard ransomware with more intent on destruction of data. While
this string of malware does encrypt files, it also inflicts unrepairable damage to the
system and was built in a way that decryption would not be possible.
Multiple sources , including the US government’s Homeland Security, state that
NotPetya’s primary goal was destruction of both data and data systems. The malware
spreads through a well-known vulnerability in the Windows SMB-protocol, combined
with the usage of internal Windows toolkits (WMIC, PsExec) and the theft of credentials.
Once infected the computer will no longer boot and the vast majority of all files on the
drive have been encrypted. Upon attempted startup of the system the user will be
presented with a message on the screen informing the user that the systems’ files are
encrypted and cannot be decrypted unless a decryption key is purchased for $300.
Upon payment of the $300 ransom, the malware writer claims that the decryption key
will be sent. It is believed that the initial infection involves the automatic update of the
accounting software ‘MEDoc’, a company based in the Ukraine. The update was
contaminated with the malware Petya/NotPetya and spread quickly throughout several
networks of the Ukrainian government and the logistics company Maersk.

4 of 14
Screen grab of the ransom note.
The malware spread through the internal networks of Maersk, which is an international
company and thus was able to begin to cross country’s borders. The malware was
spreading using the same vulnerabilities in the SMB-protocol which were also used in
the WannaCry campaign. Companies that had not patched these vulnerabilities were
vulnerable. In addition, the Petya/NotPetya malware contains several other methods –
including the theft of credentials – to infect systems internally other than just the SMB-
vulnerability, which means that only patching is not sufficient.
Along with Walter White Laboratories, other companies that were infected and had
substantial financial loss were FedEx, Merck, WPP, DLA Piper, Nuance
Communications, Beirsdorf, Maersk, Saint Gobain as well as many other smaller
companies.

5 of 14
TECHNICAL OVERVIEW
Characteristics
This particular string of malware closely resembles the Petya malware of 2016, but has some
distinctive differences:
● The infection vector does not involve phishing, but the MEDoc application;
● The distribution methods are the SMB-vulnerabilities, legitimate Windows tools and
Mimikatz;
● Fake digitally signed software is used; o XOR encrypted shell code is used in malware
load to bypass AV signatures;
● A specific behavior can be observed on domain controllers and servers; this malware
attempts to activate a function ‘DhcpEnumSubnets ()' to retrieve all DHCP subnet before
a scan is made to tcp / 139 and tcp / 445 services;
● There is an unconfirmed ‘killswitch’ in the malware that can be activated by creating an
'read only file called 'perfc' under the % Windows% install folder. However, this will not
prevent malware from spreading itself;
● There is no evidence for communication to an external communication and control
server.
Static Analysis
Synopsis of Executable
Although initially labeled as ransomware due to the ransom message that is displayed after
infection, it appears now that NotPetya functions more as a destructive wiper-like tool than
actual ransomware.
Initially, analysis showed many similarities with Petya ransomware samples from 2016, but
further research indicated the malware had been modified to cause data destruction. NotPetya
overwrites sectors of the physical hard drive and C: volume, but does not contain the ability to
restore the files, rendering recovery impossible even if the ransom is paid.
Using the Windows API DeviceIoControl, the malware is able to obtain direct read and write
access to the physical hard drive, without interaction with the operating system (provided it has
the proper administrative permissions).
This allows the code to determine the number of disks and partitions on the system, unmount a

6 of 14
mounted volume (even if in use), and determine the drive geometry for the drives on the system
(i.e., the number of sectors, bytes per sector, etc.). The malware uses this access to destroy
data critical to the operating system. NotPetya also has the ability to replace the OS bootloader
with custom code embedded in the binary.
Other Key Points
● NotPetya is a 27kb malware DLL (dynamic-link library) that is launched using
rundll32.exe
● PE32 executable (DLL) (console) Intel 80386, for MS Windows
● Compilation date: Tuesday, 27th of June 2017
Timeline
● June 27, 2017 - 05:00 - 06:00 EDT - First signs of attack emerge on Twitter in a post
about a Ukrainian power distributor being hacked
● June 27, 2017 - 08:00 EDT - Symantec confirms that Petya is responsible for the attack
● June 27, 2017 - 10:00 EDT - Kaspersky Lab tweets a statement clarifying that the
ransomware is not a variant of Petya but is a new ransomware named NotPetya. They
also announce that at least 2000 organization had already been infected at the time of
the tweet.
● June 27, 2017 - 12:00 EDT - Ukraine police announce that MeDoc, and accounting
software used by many Ukrainians to pay their taxes was the NotPetya vector point.
● June 27, 2017 - 13:00 EDT - Security officials begin to announce methods to avoid the
attack.
● June 28, 2017 - 05:00 EDT - It is announced that those who decided to pay the ransom
are not getting their files back.

7 of 14
Initial Behavior
The table below summarizes the initial activity generated by the sample upon upload to
Any.Run.
Behavior Once Active
Once installed, NotPetya does several things:
● It runs Mischa, a component of an earlier variant of the Petya ransomware, and encrypts
individual files
● It reboots the system and encrypts the MFT (master file table) and renders the Master
Boot Record (MBR) inoperable. It also overwrites the MBR with a file that displays the
ransom note, which renders the system unable to boot.
Activity Type Count
HTTP Requests N/A
DNS Requests N/A
Connections RAW UDPdata
Files Changed MBR
Dynamic Analysis
The test results were generated by executing the malware on Any.Run’s hosted platform.
What is EternalBlue? The EternalBlue vulnerability, CVE-2017-0144, targets the Microsoft
Windows Server Message Block (SMB) protocol and allows attackers to execute arbitrary code.
A fix was issued in March 2017 by Microsoft.
Process Environment
The malware runs as admin, after successfully getting admin access to the machine the
malware then encrypts the master boot record making the infected windows computers
unusable. NotPetya having admin privileges allows it to harvest user credentials from the
infected host then uses those credentials to connect to other systems on the network, spreading
the malware like a worm. Only takes one infected machine in an organization to take down all
systems in the network.

8 of 14
NotPetya executable/loader fingerprints
● MD5: 71b6a493388e7d0b40c83ce903bc6b04
● SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
● SHA256:
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Indicators of suspicious activity: The malware first shows signs of suspicious activity when it
decompresses its resource named 0x3 of type RT_RCDATA contents to
C:Windowsdllhost.dat. Analysis of dllhost.dat shows that it is a copy of the PsExec utility,
which is a telnet replacement that allows execution of process on other systems on the LAN.
Then it forces the computer to reboot.
Network Activity
While monitoring the network traffic after running NotPetya executable, The malware
does not make any DNS requests or HTTP requests. Instead it creates a RAW UDP data flow tp
192.168.100.140 (attackers CNC) from our localhost (VM) established on port:137
The malware enumerates all network adapters, all known server names via NetBIOS and also
retrieves the list of current DHCP leases, if available. Each and every IP on the local network
and each server found is checked for open TCP ports 445 and 139. Those machines that have
these ports open are then attacked with one of the methods described above.
After initial infection, the malware tries to move laterally by using following techniques:
● The theft of username / password combinations using a variant of Mimikatz;
● The reuse of active SMB sessions;
● The usage of shared folders to spread the ransomware through the network using WMIC
and PsExec;
● The usage of the known SMBv1 vulnerabilities EternalBlue and EternalRomance2.
A network scan is made:

9 of 14
● The malware enumerates all network adapters and all possible server names via
NetBIOS;
● Enumerates the DHCP addresses used, if available;
● Also uses the local ARP cache;
● Each network address on the local network is checked for open TCP ports, specifically
SMB ports 445 and 139. Machines that have these ports open are then attacked using
one of the methods described above.

10 of 14
Filesystem Modifications
Based on the information from the Any.run report, the rundll32.exe executes commands
and overwrites the data. The file system modifications are the changes to be performed by a
generated package during its deployment to the file system on a target PC. Those changes can
include files and folders creation or deletion, file content modification and shortcuts creation. In
the case of NotPetya, rundll32.exe looks normal but the malware is disguised as a normal
Windows application and then “encrypts” the data to hold it for “ransom.” Once the user reboots
the computer or the system goes black, the information is pretty much gone.
Containment Strategy
Scope
The malware aims to obtain user credentials via Mimikatz tools and once it obtains
administrative credentials, it will start to spread itself. It can jump to other devices that are
vulnerable and instead of holding people’s information and data like ransomware, it would wipe
the information, thus users would lose money and wouldn’t get anything back. The malware
specifically targeted Windows computers in June 2017 in the following countries: Ukraine,
Russia, Denmark, France, the UK, the USA, Belgium and others, dubbing it the “worst
cybersecurity attack in history”. These Window computers did not have software updates and
did not have the latest patches, thus making them vulnerable to the attack and showing how the
we are universally not up to standard. Computers that ran Windows 10 were not as affected and
even if they were, the improved security measures prevented the malware from spreading to
other systems. The majority of affected operating systems were anything older than that.
Companies ranging from 10k employees to even 10-50 employees were affected by this attack
and no specific industry was targeted - anyone who was vulnerable with an older Windows OS
was a target.
Severity
In a report created by the White House it was estimated that the damage from NotPetya
was more than 10 billion dollars. Pharmaceutical vendor Merck lost around 670 million dollars
and FedEx lost around 450 million dollars. Consumer Products vendor Reckitt Benckiser lost
around 100 million dollars and snack maker Mondelez International had loses exceeding 150
million dollars. Merck also had to replace 45000 computers that were infected with the virus.

11 of 14
Other companies around the world that lost large amounts of money due to NotPetya are:
Nuance Communications, Beirsdorf, Maersk, Saint Gobain, as well as many other smaller
companies that lost less but were equally as devastating if not more so because of their size
and limited resources. Tom Bossert, the current head of Homeland Security at the time of the
discovery of NotPetya confirmed the estimates of the damage and the potential source. It is
believed that the the Russian government, in an attempt to destabilize the Ukraine, unleashed
the ransomware on the unsuspecting global network and the unforeseen consequences were
devastating worldwide.
In the end it is far cheaper to just replace infected computers than it is to run the risk of infection
again.
Solution
First and foremost the best solution is a backup strategy that follows the 3-2-1 backup
rules. There should be at least 3 copies of all data. Two copies are on different media types.
This can be hard drive, tape backup, or any other medium that is stored off the network. Keep at
least one copy stored off-site in the event of physical data loss in the location the other copies
reside. Maintaining a backup schedule that limits the amount of data lost between backups. For
example, should the backups run continuously on one media and then a full backup at midnight.
Below is a list of other steps that can be taken to help mitigate the potential of attack.
● Don’t pay the ransom because it’s too late! Once the attack commences, the user’s
information is wiped from the infected system. In previous versions of “similar”
ransomware, the installation ID contained crucial information for the key recovery.
NotPetya’s ID is randomly generated, and the single email listed on the ransom screen
was quickly killed.
● Ensure your system is patched according to the latest security updates. (Specifically,
Microsoft Security Patch MS17-010). Windows 10 contains security measures that can
prevent other systems from being infected.
● Take away any local administrator rights of regular users.
● Watch out for the creation of new scheduled tasks via EventId 106 for the following
tasks:
○ ‘schtasks /Create /SC once /TN “” /TR “shutdown.exe /r /f” /ST ’
○ ‘cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR’
○ ‘C:Windowssystem32shutdown.exe /r /f” /ST ’.

12 of 14
● Block the execution of ‘PsExec’ and ‘perfc.dat’ files through Applocker or a similar tool.
Make sure your AV / IDS / IPS rule set is up-to-date.
● Enforce a backup strategy and test it.
● Comply with the traditional security methods against Ransomware.
● Consider following SMB restrictions.
● Ensure that Windows SMB services (typically TCP port 445) are not directly connected
to the internet.
● Consider blocking entering external traffic on port 445.
● Consider disabling SMBv1 in your network.
● Monitor the internal network specifically on anomalies in management traffic.
Awareness Training
Identification
Once infected it is too late. Hopefully you will have a solid backup plan in place. If you are lucky
enough to be warned before the malware takes over, look for the following:
● Rundll32.exe running in the Windows Task Manager
● System shutdown for reboot on it’s own
If the system shuts down and begins the reboot process, the MBR (Master Boot Record) has
been encrypted and the fake disk repair screen will appear showing the progress of the local
disk files being encrypted. Following completion of the encryption, you will be presented with a
black screen filled with red text demanding money.
Escalation
A single infected system on the network possessing administrative credentials is capable
of spreading this infection to all the other computers through WMI or PSEXEC.
If any indication of the malware is discovered, the computer must be immediately shut off and
not rebooted. The security team must be contacted immediately and steps can be taken to
protect the remaining systems on the network as the malware will have already made attempts
to propagate.
After notifying the IT/Security team right away, you should next contact your direct manager
right away! Your direct manager will most likely inform the Corporate Management team to
make them aware of what be a potentially major issue.

13 of 14
Organize a meeting with officers to decide on the cost benefit analysis of keeping the drives in
the event a decryption method is found in the future. The encrypted drives will need to be
labeled and stored for a potential decryption in the event flaws in the malware code are
expanded. If proper backups are available, the drives can be overwritten to save labor, storage
and cost of new hardware.
Quarantine and Response
If the extra rundll32.exe file is present as mentioned above in the Identification section; power
off the PC and do not turn it back on again. It was found that it may be possible to stop the
encryption process if an infected computer is immediately shut down when the fictitious chkdsk
screen appears, and a security analyst proposed that creating read-only files named perf.c
and/or perfc.dat in the Windows installation directory could prevent the payload of the current
strain from executing.
Remove the computer from the internal network and isolate it so that infection to other machines
is not possible. While the most secure method to remove NotPetya is to replace the hard drive
and reinstall from a backup, reinstalling Windows will remove NotPetya from the system. This
again is assuming the malware has not evolved into a new variant that stores its executables
outside of the typical Windows install. In the event that the encryption has begun, the computer
must still be powered off, as this will halt the process and leave the unaffected data available for
retrieval. If this is the case the hard drive must be replaced as it is no longer able to be used
safely.
For NotPetya, the ID shown in the ransom screen is random data and therefore even payment
to the threat actor will not resolve the attack. If AI engines are available, the security team will
be able to update the rules to successfully detect elements of the infection and propagation.
In addition to the above, a robust anti-malware suite with embedded anti-ransomware protection
should be part of all of the systems, including any remote systems or laptops used by the sales
team in the field.
Update Microsoft Windows and all third party software. Ensure comprehensive cybersecurity
training for all personnel that perform any work on the computers within the company. This
training should include how to identify phishing emails, social data gathering, and instructions on
routine backup techniques with an emphasis on data validation.

14 of 14
Summary
NotPetya represents the evolution of cybersecurity attacks not just in terms of the
methodology used, but in the intent. NotPetya combines ransomware with the ability to
propagate itself across a network. Built upon a relatively unsuccessful ransomware (Petya), the
malware binary tries to extract logins and passwords of users with the effort of lateral movement
through a local network if administrative credentials are gained.
The second function of NotPetya is to make irreversible modifications to the Master Boot
Record and then force a reboot of the system at which point a disk repair message is displayed.
This disk repair is in reality, the attack of the fixed drives on the system, encrypting all the files.

Full report final for NotPetya

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Full report final for NotPetya

Similar to Full report final for NotPetya (20)

Recently uploaded

Recently uploaded (20)

Full report final for NotPetya