The Petya ransomware attack that infected corporations around the world today may have originated from a malicious update for a Ukranian accounting software product called MeDoc, according to researchers.
Additionally, the ransomware possibly leverages not one, but two former Microsoft Windows exploits that were employed by the National Security Agency (NSA) before they were leaked by the Shadow Brokers hacking group.
Still, the security community has much work to do as it scrambles for answers regarding Petya's coding, how the ransomware differs from WannaCry 2.0, and the attackers' identity and motive. At this point, there is even disagreement over whether or not the ransomware is actually a variant of Petya at all.
Petya Analysis: Worse than WannaCry
Like the WannaCry malware that infected victims in May, Petya has a wormable component that allows it to spread laterally around connected networks. But while WannaCry specifically targets files, Petya encrypts a machine's entire hard disk by overwriting the master reboot record, making it significantly more dangerous to infected organizations.
"Unlike other types of ransomware, the Petya ransomware family appears to be more brutal in the techniques it uses to encrypt files as it goes straight for the hard drive to encrypt the entire machine," said Lenny Zeltser, vice president of products at endpoint security solutions company Minerva. "Therefore, not only do users lose their data, their entire productivity is shut down as even their Windows operating system won't run."
Chris Hinkley, lead ethical hacker at Armor, similarly noted that while Petya looks like "somewhat of a WannaCry copycat," it is potentially worse because it "for all intents and purposes turns the computer off."
In a surprise twist, Recorded Future reported that Petya ransomware is actually being coupled with a second payload: an information stealer, possibly Loki Bot. "The Loki Bot information stealer grabs usernames and passwords from victim computers and sends the data to a command and control server controlled by the attacker," said llan Liska, an intelligence analyst at Recorded Future. "If confirmed, that would mean that while the computer is completely inoperable because of the Petya ransomware, the attackers have full access to the usernames and passwords stolen from the computer."
Other reports were a little more generic, indicating that the ransomware uses a tool similar to Mimikatz in order to steal credentials and further spread. Regardless, the ability to swipe credentials can lead to widespread infections across an extended network once a machine operated by an administrator is affected.
The specific variant of Petya spreading around the world has been identified by some researchers as Petrwrap. According to the Kaspersky researchers who discovered this variant last May, Petrwrap is derived from the original Petya ransomware-as-a-service module, but with a modification that allows users to receive ransom payments without having to share the profit with the original developers. Others have identified today's ransomware as another variant called GoldenEye, which was described in a recent Sophos report.
However, Kaspersky reported via Twitter that, contrary to public reports, the ransomware actually may not be a variant of Petya at all, but rather a previously undiscovered ransomware that it is calling NotPetya.
There are also conflicting accounts of how companies have been infected. Many reports have cited phishing scams as a likely source of infection. While this is possible in some cases, the evidence strongly suggests that Ukrainian organizations were by and large infected via a malware-ridden update of MeDoc accounting software, according to a report from Cisco Talos and another from Kaspersky. In a Facebook post, MeDoc denied that its software updates were responsible for any infections, through it did admit to being targeted by hackers.
Still, a compromise of MeDoc would not likely explain how other international organizations became infected as Petya began to spread outside of Ukraine's borders.
What seems more clear at this time is that once the malware resides on a machine, it then spreads laterally across connected networks via various Windows exploits and tools. While WannaCry specifically leveraged the exploit known as EternalBlue, Petya (or NotPetya) takes advantage of both EternalBlue and EternalRomance, a separate remote code execution Windows exploit, Kaspersky reported. According to various reports, the ransomware also uses the Windows Management Instrumentation Command-line (WMIC) interface and the telnet alternative PsExec to enable lateral propagation.
Via Twitter, security researcher Kevin Beaumont additionally reported that the ransomware has no kill switch in its code, like the kind that cut short WannaCry's path of destruction. And Ori Bach, vice president of product at TrapX Security, said that his company determined from a malware sample analysis that Petya was designed "not to run on desktops [that] only have a keyboard running EN-US" language code (which commands the Windows operating system to use U.S. standard English). If accurate, this might suggest that the attackers hoped to avoid U.S. causalities, although American companies including the pharmaceutical company Merck were reportedly hit.
SC Media's own research expert Dr. Peter Stephenson also conducted his own sample analysis and found that the ransomware uses a wrapper program for obfuscation purposes. Commenting on fellow researchers' early findings, Stephenson highlighted the uniqueness of the malicious MeDoc update, noting that "there haven't been a lot of massive attacks that have been spread that way."
In conclusion, while the WannaCry attack appeared amateurish in how it was executed, Petya has all the hallmarks of a professional job, Stephen surmised.
Poor Patching to Blame
In March 2017, Microsoft issued patches for both vulnerabilities linked to the NSA's EternalBlue and EternalRomance exploits. So if, indeed, the attackers capitalized on these bugs, it further demonstrates the continued negligence of companies that fail to update their software, in spite of lessons learned from the WannaCry infection.
"Given the notoriety that WannaCry achieved, it's surprising to see that organizations are falling victim to a vulnerability that has been public knowledge since earlier this year," commented Andrew Avanessian, VP at Avecto.
"The current approaches to security with respect to patching and updates is severely broken," said Mike Kail, CTO at Cybric. "Companies need to rapidly adopt a much more continuous strategy around patching and security testing, along with a robust disaster recovery plan that gets tested frequently." This is especially true for organizations that provide critical infrastructure technology, he noted, alluding to Ukrainian energy companies that were affected in this latest attack, including the Chernobyl nuclear plant.
Mike Ahmadi, global director of critical systems security within Synopsys's software integrity group, called for increased legal enforcement of security patching. "Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs," said Ahmadi. "Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated."