Two months after the global WannaCry ransomware outbreak, a new wormlike malware variant has more recently plagued 64 countries, disrupting operations worldwide.
According to Microsoft’s Windows Security blog, the first signs of infection hit more than 12,500 machines in Ukraine, then spread outward to infect the U.S., Russia, Germany, Belgium, Brazil and others.
The malware has affected A.T.M.s and nuclear plant radiation monitors in Ukraine. Other companies affected include FedEx in the U.S., worldwide shipping giant A.P. Moller-Maersk, a French construction materials company Saint Gobain and Mondelez International, Inc. (owner of chocolate brand Cadbury), BNP Paribas Real Estate and many more, as reported by Reuters.
While initially reported to be a ransomware variant with code similar to the Petya ransomware, further analysis and research has revealed otherwise.
Is it Ransomware?
Some researchers say no, for a number of different reasons. The intent behind ransomware is to make money by encrypting data and holding it for ransom - ransomware can restore and decrypt files.
But this type of malware appears to be wiping the first sectors of the disk, rewriting the master boot record to make restoration of infected disks impossible, according to a blog post by Matt Suiche, founder of CloudVolumes, now VMWare. He also suggests the malware was disguised as ransomware as “a lure for the media” - piggybacking off the notoriety of the WannaCry incident.
In a separate analysis of the “high-level code of the encryption routine” used in the malware, Kaspersky Lab also confirmed that there is “little hope” for victims to recover their data, as threat actors cannot decrypt infected disks - even if victims pay up.
Kaspersky Lab researchers explained that threat actors need the installation ID in order to decrypt a victim’s disk. While previous versions of Petya ransomware do have the information necessary for key recovery, the malware used in this attack doesn’t have it - meaning threat actors supposedly can’t extract the information needed for decryption, as Ars Technica reported.
However, there are also reports that the malware is acting as ransomware, asking for $300 bitcoin, a relatively low amount that has indicated to researchers that the attack may not be profit-motivated.
Additionally, extortionists encourage users to communicate with them via email, and have provided each victim with the same bitcoin address - different from typical ransomware that uses the anonymous network Tor for communication, and assigns a unique bitcoin address to victims.
According to Information Security Researcher, the grugq, the worm is camouflaged to look like Petya, with “significant code sharing.” But further research indicates the malware was not designed to make money, but rather to spread quickly and cause damage.
Targeting Windows Systems
The worm uses a few different infection vectors, including a modified version of the Windows ETERNALBLUE exploit (also used by WannaCry to infect systems), harvested password hashes and PsExec tools - plus, good old phishing emails with malicious attachments.
A single infected system on your network with administrative credentials can spread the malware to others via PsExec and WMIC. The malware uses a tweaked build of open-source Mimikatz (a credential-theft/security-testing tool for Windows) to extract network administrator credentials out of the machine’s running memory, according to a very detailed and thorough account of the malware’s behavior by The Register.
Much of the discussion around the malware’s behavior is centered around its ability to move laterally within an organization’s networks after initial infection. Lesley Carhart discusses the abuse of poor network security architecture in her blog post, Why NotPetya Kept Me Awake (& You Should Worry Too):
“Of course, unpatched (or not recently rebooted) Windows hosts were vulnerable to MS17-010 exploitation. Beyond that, lateral movement with WMI and PsExec is very effective in environments with poor network security architecture and implementation. Flat networks without segmentation were vulnerable. Networks where their use was permitted were vulnerable. Networks where desktop users commonly had workstation admin or domain admin permissions were vulnerable, and networks where these privileges were not restricted or tightly controlled were more so.”
An analysis by Kaspersky Labs reports that the EternalRomance exploit was also used to infect machines with the malware. EternalRomance is a remote code execution exploit targeting Windows XP to Windows 2008 systems.
Patching Windows systems with the March update, MS17-010 protects computers against this exploit. However, due to many different factors, organizations with the most critical functions appear to struggle with software updates, keeping them vulnerable to known exploits.
Spreading Through Third-Party Software
Some of the initial infections were due to a legitimate software update from a Ukraine accounting software firm, as reported by ZDNET.
Microsoft has confirmed that they have evidence that a few initial, active infections can be traced back to the tax accounting software, MEDoc, developed for use in the supply chain by the Ukrainian company, M.E.Doc.
The malware infected Ukrainian hosts via the legitimate MEDoc updater process on the morning of Tuesday, June 27, pushing out an executable download to customers that appeared to be sent from the software vendor - but contained the malware.
Some advice to help avoid infection, whether it’s ransomware or malware: patch your software and update devices as soon as possible. Back up your data regularly and offline, and use the principle of least privilege to restrict the permissions of administrators and users to only what they need to do their jobs. Users should also exercise caution when it comes to downloading files from email or allowing updates.