The United States Computer Emergency Readiness Team (US-CERT) issued an alert for government agencies and companies about the recent Petya ransomware attack, which was designed to steal credentials and destroy data.
A recently discovered strain of malware was first believed to be a variant of the Petya ransomware. However, some security experts eventually concluded that although it shares some code with Petya, the “ransomware” parts are superficial at best and possibly used to cover-up the malware creators’ real objectives.
According to further expert analysis and confirmation by US-CERT, Petya (the name US-CERT chose to give it) was primarily made to steal or destroy data in targeted computers.
On June 27, US-CERT was notified by the National Cybersecurity & Communications Integration Center (NCCIC) that Petya infections were happening in multiple countries and affecting multiple sectors. The malware would encrypt the Master Boot Record (MBR) of Windows machines, making them unusable.
According to US-CERT, the Petya malware campaign involves multiple methods of propagation and exploitation, including exploiting vulnerabilities in the Windows Server Message Block (SMB) and using NSA's EternalBlue exploit, the sames tools also used by the WannaCry ransomware earlier this year. Microsoft silently patched these vulnerabilities in March, but not all Windows machines have installed the update, which means the potential for damage is still significant.
US-CERT received a sample of the Petya malware variant and performed its own detailed analysis of it. The malware spreads via SMB and installs a modified version of the open source Mimikatz tool to steal the victims’ Windows credentials. Because some of those credentials may belong to network administrators, they can then be used to access other systems on the network.
The malware can also scan the IPs of the network and look for other computers using the unpatched SMB protocol so it can infect them as well. Petya modifies the MBR of the machines to enable encryption of the Master File Table (MFT) and the original MBR, and then it reboots the systems.
The team found that the malware encrypts users’ files with dynamically-generated 128-bit AES keys and creates unique IDs for the victim PCs. However, there doesn’t seem to be any evidence that the encryption key and IDs are connected, so it may not be possible for the malware creators to decrypt a user’s machine, even if the user pays the ransom. This is also part of the reason why many security experts believe the ransomware part of this Petya malware is there only as a decoy.
This variant of the Petya ransomware seems to have mainly targeted businesses and organizations in multiple sectors, including including finance, transportation, energy, commercial facilities, and healthcare. However, US-CERT warned that users with unpatched Windows PCs are also at risk.
US-CERT said that infection with the Petya malware can have the following consequences:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Solutions Against Petya
First of all, NCCIC recommended that organizations or anyone infected with ransomware should not pay the ransom, as that only encourages criminals to build more advanced ransomware variants that spread more easily and widely. However, in this case, even if the victims pay the ransom, it’s unlikely they will recover their files, so they could lose both their files and their money to this campaign. The email address provided for payment validation has also been shut down by the email provider, making file recovery even less likely.
Because WannaCry and Petya share similar attack vectors, organizations that had already taken steps to protect against WannaCry should already be protected against Petya. Nevertheless, NCCIC said that organizations should work with their security vendors to coordinate an appropriate defense.
US-CERT also published a number of instructions to prevent ransomware infections, from patching systems and disabling the SMB protocol to employing the “least privilege” security mindset, which should significantly limit how far malware infections spread inside a network.
Ransomware Goes Mainstream
With WannaCry and now this new variant of Petya, it seems that ransomware has gone “mainstream” after being relegated to being a niche type of attack for the past couple of years. This type of malware is likely to continue to be an appealing option to many malware creators, because on one side it can make them money, and on the other, it can act as a powerful destructive tool (more likely to be used by criminal organizations and nation states).
This is why it’s all the more urgent for Microsoft, as well as the vendors of other operating systems, to start taking steps now to design their operating systems’ security architectures in ways that make them resilient to ransomware attacks. This isn’t going to be easy, because it likely means that some legacy third-party applications will stop working without updates once the new architectures and built-in security solutions are deployed, but this change is likely going to be necessary.