NotPetya Is a Cyber Weapon, Not Ransomware

Yesterday morning, after monitoring this new outbreak for 24 hours, I came to the conclusion we were dealing with cyber warfare, and not ransomware. Two separate reports coming from Comae Technologies and Kaspersky Lab experts confirm this now.

NotPetya is a destructive disk wiper similar to Shamoon which has been targeting Saudi Arabia in the recent past.

Note that Shamoon actually deleted files, NotPetya goes about it slightly different, it does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same.

Someone is hijacking known ransomware families and using them to attack Ukrainian computer systems. Guess who.

You never had a chance to recover your files. There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen:

1. It never bothers to generate a valid infection ID
2. The Master File Table gets overwritten and is not recoverable
3. The author of the original Petya also made it clear NotPetya was not his work

This has actually happened earlier. Foreshadowing the NotPetya attack, the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.

Catalin Cimpanu, the Security News Editor for Bleepingcomputer stated: "The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware."

Cybersecurity has moved from Tech to a CEO and Board-level business issue

You did not sign up for this, but today it is abundantly clear that as an IT pro you are have just found yourself on the front line of 21-st century cyber war. Cybersecurity has moved from Tech to a CEO and Board-level business issue.

I strongly suggest you have another look at your defense-in-depth, and make sure to:

1. Have weapons-grade backups
2. Religiously patch
3. Step users through new-school security awareness training

Looks Like A New Worldwide Ransomware Outbreak

Motherboard reported: "A quickly-spreading, world-wide ransomware outbreak has reportedly hit targets in Spain, France, Ukraine, Russia, and other countries." We hope we are wrong, but this could be another WannaCry. 

 

On Tuesday, a wide range of private businesses reportedly suffered ransomware attacks. Although it is not clear if every case is connected, at least several of them appear to be related to the same strain of malware."

Motherboard continued: "The attacks are similar to the recent WannaCry outbreak, and motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.

"We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

"If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

Raiu believes the ransomware strain is known as Petya or Petrwrap, a well-known highly advanced ransomware strain that also encrypts the Master File Table. According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers (Motherboard could not independently confirm this at the time of writing).

EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.

Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.

New York State DMV Phishing Scam

Online reporter Doug Olenick at SC Media was the first to point to a press release from the NY State Department of Motor Vehicles warning about a phishing scam where New York drivers are being targeted, stating they have 48 hours to pay a fine or have their driver's license revoked. This may happen in your state as well, so this is your heads-up.

The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link that will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.

Olenick was able to get a bit more detail: "The malware being dropped came in two categories. The first simply placed a tracking tool on the victim's computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information."

There are several social engineering red flags (PDF) that show the email is a scam. The text of the email posted supplied by NY DMV shows the attack contains several punctuation errors, the supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. Here is how the phishing email reads: 

“The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.

McShane noted that this scam is similar to one that hit the state about 18 months ago. The DMV, he said, is often used as bait in phishing attacks. Most previous attacks only lasted for 24 to 48 hours and this attack seems to have wrapped up too at this point, he added. This means that the bad guys may have moved on to other states with this attack, so...

I suggest you send employees, friends and family an email about this Scam Of The Week, feel free to copy/paste/edit:

"Here is a reminder that you need to be alert for fake emails that look like they come from your local police or State Dept of Motor Vehicles (DMV) claiming you have a traffic violation. At the moment, there is a local scam in New York that falsely states you have outstanding violations you need to either pay for or refute, and if you don't your license will be revoked. This scam may spread to the rest of America soon. Remember that citations are never emailed with links in them, or sent out with an email attachment, and report scams like this to your local police department." 

Obviously, an end-user who was trained to spot social engineering red flags like this would have thought before they clicked.