Article by ENCODE’s Threat LabsA worm, known as "Petya" is ransomware, infecting machines around the world on an industrial scale. It's a massive attack, which affects a number of sectors, including; governments, shipping firms, petroleum manufacturers, hospitals, in numerous countries like; Ukraine, Spain, Denmark, Germany, Israel, UK, Netherlands etc. Specifically, in the Ukraine, where bus stations, banks, airport, and critical infrastructure has been affected.
The Petya worm uses numerous different techniques for propagating itself, including the infamous ETERNALBLUE exploit (developed by NSA, leaked by Shadow Brokers, also used by the WannaCry ransomware)The worm harvests password hashes from memory (a recompiled minimal version of mimikatz), the psexec tool from Sysinternal and the WMIC interface.
"Petya malware behaves as any other ransomware (loki, cerber, teslacrypt etc.). Instead, however, of encrypting your files on the disk", it encrypts the MFT (master file table) where all the file metadata resides (a blast from the past, when many 1980s/1990s malware used this technique in order to damage the MBR sector), depending on the privileges of the user under who’s account the malware was initiated.
Any serious ransomware attack has one objective in mind, which is to make profit. Although, this specific attack was not designed to make profit per se, but potentially to prove that this specific worm can be spread fast and provoke damage. This assertion can be justified as the e-mail address "email@example.com
" has already been disabled (https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday
), so victims are not able to send the Bitcoin Wallet ID and installation key to this e-mail address. It indicates a poor payment process. The other characteristic that is different is the initial infection method. There have been reports that the attack was started by spreading a fake (malware) update of a software package used by Ukrainian organizations, government, and countries that do business with the Ukraine. So, the initial infection method does not appear to be through the classical spear phishing technique but also through a third-party update server compromise. There is a possibility that the attackers wanted to prove that they can attack sensitive infrastructure through other paths as well, not only by spear phishing attacks. Of course, we cannot exclude spear phishing attacks against countries that do not do business with Ukraine.
Food for thought: What is/are the main reason(s) so many computers around the world were infected in such a short time? Is it the ETERNALBLUE exploit or is it poor security controls, weak local admin and/or domain admin passwords, , poor user privileges, poor architecture network design, poor internal network visibility , poor incident response capabilities?.
Article by ENCODE’s Threat Labs