It’s not just the physical world that’s volatile; the cyber world isn’t safe either. Just barely a month after Wannacry ransomware shook up the cyber ecosystem, there was another cybersecurity epidemic that wreaked global havoc on June 27th.
This time it’s Petya, or is it NotPetya... or maybe GoldenEye...
It Started With a Fake Update
According to Microsoft, the initial infection vector, or patient zero, was M.E.Doc, a tax filing software widely used by all companies operating within Ukraine. The attackers seeded the software with a ransomware which then got pushed out to all the clients as a software update.
This then spawned a nationwide cybersecurity outbreak where within an hour of being infected, the malicious code automatically forced computers to reboot, which upon restarting flashed up this black screen with an ominous message in red text:
The outbreak cause damage predominantly in the Ukraine, spreading to Britain, Europe, Australia and even USA, affecting 64 countries in its path. It crippled airports, critical governmental institutions, both public and private infrastructures, power plants and even the Cadbury chocolate plant in Australia, who had to halt its production.
The Chernobyl’s nuclear radiation monitoring system got hacked as well, forcing the authorities to monitor the area manually.
This attack has been called a mayhem generator rather than just a ploy for money extortion. But more on that in a bit…
What’s a Ransomware? A Quick Overview
A ransomware is a type of malware that traps your computer files through data kidnapping and lock screen attacks; then demands a ransom in order to regain access to the affected documents.
These malicious codes can spread through email attachments, software updates, infected apps, infected websites, clicking an infected link etc.
There are two types of ransomwares: Encrypting ransomware that encrypts all the system files, and demands a ransom from the victim in exchange for the decrypt key; and Locker ransomware that completely blocks the victim out of the system. Although the files aren’t encrypted, they aren’t accessible either unless the ransom is paid.
What makes ransomware so menacing is that it has the ability to encrypt all types of files, including pictures. They can scramble file names, extract sensitive data, and use advanced evasion tactics to stay undetected. The encryption used is often unbreakable. Also, to increase the sense of urgency, the ransom amount is programmed to increase if not paid within a certain time frame. They also threaten to destroy your data completely if the ransom isn’t paid.
GoldenEye, a variant of Petya ransomware, affects networks that use Microsoft Windows. It spreads throughout the organization using EternalBlue- an exploit developed by NSA that was also linked to WannaCry. This Microsoft Windows security vulnerability was first exposed by a hacking group called Shadow Brokers. Although Microsoft Windows did release a patch, not everyone has it installed.
It has a wormable component that allows it to self propagate. Along with using SMB Exploits- EternalBlue and EternalRomance to spread, it uses several tools to propagate through networks, infecting them on its way. Using MimiKatz, It extorts network administrator’s credentials and uses it to execute commands using WMIC, on systems that might be patched against EternalBlue.
Not only can it extract credentials, but it can also rewrite the system’s MBR (Master Boot Record), so when it reboots, only the malware note pops up asking for the ransom.
It encrypts fixed drives using AES-128 encryption which randomly generates a key.
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
If any of the files of the encrypted fixed drives contain the above mentioned extensions, then it further encrypts the 1 GB of that file with the attacker’s public RSA-2048 key.
Then the encrypted key, also known as the installation key, gets stored in a README.txt file along with the ransom message. The ransomware then proceeds to modify the MBR, programming the forced reboot pulls up the ransom screen.
Should You Pay?
The attackers are asking the victims for $300 in Bitcoins as a ransom for the decrypt key. So, should you pay? Some appeared to have paid, since the address shows 45 transactions. But here is the thing-
The victims are required to send their wallet numbers via email to [email protected] to confirm the transaction, but that email has already been shut down by Posteo. So there is no way to contact the criminals. So paying the ransom will not get your data recovered; it will just fund their development of an even nastier malware.
Was the Goal to Extort Money or to Create Mayhem?
Mounting evidence shows that this cyberattack might not have been for money at all, but rather a data destruction ploy. The motive is still a mystery.
If the hackers wanted money, this attack was a failure. But some cybersecurity experts believe that their goal might have been to just cause destruction.
Matt Suiche, a security researcher and hacker, calls Petya a wiper and not a ransomware. Suiche states, “2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk.”
Ultimately, the jury is still out on this attack’s primary intent.
Is There a Kill Switch?
Despite the rumors, there is no known kill switch yet to revert this attack's damage. To protect your system from getting attacked, patch your computers against SMB exploits. Keep your Windows 10 up to date, and don’t forget to always back-up your files, because you never know what the next cybersecurity monster will bring with it.
You should also consider deploying Safe-T’s SDE which is a centralized secure data exchange solution which operates not using SMB but rather using HTTPS. This will allow you to securely store all of your data in a centralized location (e.g. NTFS) without requiring you to open any SMB throughout your network, preventing any SMB based vulnerabilities.