What is the NotPetya ransomware?
NotPetya (or Petwrap) is based on an older version of the Petya ransomware, which was originally designed to hold files and devices hostage in turn for Bitcoin payment. However, despite NotPetya’s attempt to collect money in its fast-moving global attack, it doesn’t appear to be strictly out for money. Instead, NotPetya is encrypting the filesystems of machines to damage companies. The ransomware aspect is apparently just a cover.
What makes NotPetya dangerous is that underneath the ransomware-based front is an exploit called EternalBlue, allegedly designed by the United States National Security Administration (aka the NSA). It targets a specific, vulnerable network protocol called Server Message Block (version 1) used for sharing printers, files, and serial ports between networked Windows-based PCs. Thus, the vulnerability allows remote attackers to send and execute malicious code on a target computer. The Shadow Brokers hacker group leaked EternalBlue in April of 2017.
The NotPetya ransomware also includes a “worm” component. Typically, victims fall prey to ransomware by downloading and executing malware disguised as a legitimate file attached in an email. In turn, the malware encrypts specific files and posts a popup window on the screen, demanding payment in Bitcoins to unlock those files.
However, the Petya ransomware that surfaced in early 2016 took that attack a step further by encrypting the PC’s entire hard drive or solid state drive by infecting the master boot record, thus overwriting the program that begins the Windows boot sequence. This resulted in an encryption of the table used to keep track of all local files (NTFS), preventing Windows from locating anything stored locally.
Despite its ability to encrypt an entire disk, Petya was only capable of infecting a single target PC. However, as seen with the recent WannaCry outbreak, ransomware now has the capability to move from PC to PC on a local network without any user intervention. The new NotPetya ransomware is capable of the same lateral network infestation, unlike the original Petya version.
According to Microsoft, one of NotPetya’s attack vectors is its ability to steal credentials or re-use an active session.
“Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines,” the company reports. “Once the ransomware has valid credentials, it scans the local network to establish valid connections.”
The NotPetya ransomware can also use file-shares to multiply itself across the local network, and infest machines that are not patched against the EternalBlue vulnerability. Microsoft even mentions EternalRomance, another exploit used against the Server Message Block protocol supposedly conjured up by the NSA.
“This is a great example of two malware components coming together to generate more pernicious and resilient malware,” said Ivanti Chief Information Security Officer Phil Richards.
On top of NotPetya’s fast, widespread attack, there exists another problem: payment. The ransomware provides a popup window demanding victims to pay $300 in Bitcoins using a specific Bitcoin address, Bitcoin wallet ID, and personal installation number. Victims send this information to a provided email address that responds with an unlock key. That email address was quickly shut down once German parent email provider Posteo discovered its evil intent.
“We became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away,” the company said. “We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”
That means any attempt to pay would never get through, even if payment were the goal of the malware.
Finally, Microsoft indicates that the attack originated with Ukrainian company M.E.Doc, the developer behind the MEDoc tax accounting software. Microsoft doesn’t appear to be pointing fingers, but instead stated that it has proof that “a few active infections of the ransomware initially started from the legitimate MEDoc updater process.” This type of infection, notes Microsoft, is a growing trend.
What systems are at risk?
For now, the NotPetya ransomware seems to be focused on attacking Windows-based PCs in organizations. For example, the entire radiation monitoring system located in the Chernobyl nuclear power plant was knocked offline in the attack. Here in the United States, the attack hit the entire Heritage Valley Health System, affecting all facilities that rely on the network, including the Beaver and Sewickley hospitals in Pennsylvania. The Kiev Boryspil Airport in the Ukraine suffered flight schedule delays, and its website was knocked offline due to the attack.
Unfortunately, there’s no information pointing to the exact versions of Windows the NotPetya ransomware is targeting. Microsoft’s security report doesn’t list specific Windows releases, although to be safe, customers should assume that all commercial and mainstream releases of Windows spanning Windows XP to Windows 10 fall within the attack window. After all, even WannaCry targeted machines with Windows XP installed.
Who do you protect yourself against it?
Microsoft has already issued updates blocking the EternalBlue and EternalRomance exploits used by this latest malware outbreak. Microsoft addressed both on March 14, 2017, with the release of security update MS17-010. That was more than three months ago, meaning companies attacked by NotPetya through this exploit have yet to update their PCs. Microsoft suggests that customers install security update MS17-010 immediately, if they haven’t done so already.
Installing the security update is the most effective way to protect your PC
For organizations that can’t apply the security update just yet, there are two methods that will prevent the spread of the NotPetya ransomware: disabling Server Message Block version 1 completely, and/or creating a rule in the router or firewall that blocks incoming Server Message Block traffic on port 445.
There’s one other simple way to prevent infection. Start by opening File Explorer and loading up the Windows directory folder, which is typically “C:\Windows.” There you will need to create a file named “perfc” (yes with no extension) and set its permissions to “Read Only” (via General/Attributes).
Of course, there’s no actual option to create a new file in the Windows directory, just the New Folder option. The best way to create this file is to open Notepad and save a blank “perfc.txt” file in the Windows folder. After that, simply delete the “.txt” extension in the name, accept Window’s popup warning, and right-click on the file to change its permissions to “Read Only.”
Thus, when NotPetya infects a PC, it will scan the Windows folder for that specific file, which is actually one of its own filenames. If the perfc file is already present, NotPetya assumes that the system is already infected, and becomes dormant. However, with this secret now public, hackers may go back to the drawing board and revise the NotPetya ransomware to depend on a different file.
