U.S. Government Issues NotPetya Malware Alert
The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) issued a technical alert Friday,
July 28, warning businesses and other government entities to protect
themselves against the newest "Petya" malware variant known as
"NotPetya."
On June 27, 2017, the NCCIC was notified of Petya ransomware events occurring in multiple sectors in nations around the globe. The "NotPetya" malware variant works differently than Petya. It encrypts files with extensions from a hard-coded list. If the malware gains administrator rights, it encrypts the master boot record (MBR) making the infected Windows computers unusable.
NotPetya differs from previous Petya malware primarily in its propagation methods. NotPetya leverages multiple propagation methods to spread within an infected network using the lateral movement techniques below:
On June 27, 2017, the NCCIC was notified of Petya ransomware events occurring in multiple sectors in nations around the globe. The "NotPetya" malware variant works differently than Petya. It encrypts files with extensions from a hard-coded list. If the malware gains administrator rights, it encrypts the master boot record (MBR) making the infected Windows computers unusable.
NotPetya differs from previous Petya malware primarily in its propagation methods. NotPetya leverages multiple propagation methods to spread within an infected network using the lateral movement techniques below:
- PsExec - a legitimate Windows administration tool
- WMI - Windows Management Instrumentation, a legitimate Windows component
- EternalBlue - the same Windows SMBv1 exploit used by WannaCry
- EternalRomance - another Windows SMBv1 exploit
Microsoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques.
Technical Details: NCCIC
received a sample of the NotPetya malware variant and performed a
detailed analysis. It was discovered NotPetya encrypts the victim’s
files with a dynamic, 128-bit key and creates a unique ID of the victim.
However, there is no evidence of a relationship between the encryption
key and the victim’s ID. This means it may not be possible for the
attacker to decrypt the victim’s files even if the ransom is paid as
NotPetya behaves more like destructive malware rather than ransomware.
NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and most effective method uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network.
Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload.
NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID.
The NotPetya malware modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored even if the attacker received the victim’s unique key and Bitcoin wallet ID.
The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M.E.Doc installed as suspicious and should examine them for additional malicious activity.
Potential Impact: According to multiple reports, this NotPetya malware campaign has infected organizations in several sectors including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems are also at risk, such as:
NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and most effective method uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network.
Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload.
NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID.
The NotPetya malware modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored even if the attacker received the victim’s unique key and Bitcoin wallet ID.
The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M.E.Doc installed as suspicious and should examine them for additional malicious activity.
Potential Impact: According to multiple reports, this NotPetya malware campaign has infected organizations in several sectors including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems are also at risk, such as:
- Those that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145
- Those who operate on the shared network of affected organizations
Negative Consequences of Malware Infection Include:
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to regular operations
- Financial losses incurred to restore systems and files
- Potential harm to an organization’s reputation.
What You Should Do: NCCIC recommends against paying ransoms as doing so enriches malicious actors while offering no guarantee encrypted files will be released. In this NotPetya incident, the email address for payment validation was shut down by the email provider so payment is especially unlikely to lead to data recovery.
NCCIC recommends organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Given the overlap of functionality and the similarity of behaviors between WannaCry and NotPetya, many of the available rulesets can protect against both malware types when appropriately implemented.
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at 888-282-0870. You can also report cyber crime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/
If You Have Dox Managed Services: You're protected! Systems that are covered under a Dox Managed Services Agreement already received the patches to fix the MS17-010 SMB vulnerability.
Prevention: Regularly train and remind staff not to click on any attachments or links they were not expecting, even from people they know. When in doubt, don't click. Instead, contact the sender and ask if it is legitimate. If you have Dox Managed Services, remind your staff of the importance of leaving their computers powered on but logged out when they leave on Tuesday nights so Dox can patch them automatically overnight.