Late on 27 June, the New York Times reported that a number of Ukrainian banks and Ukrenergo, the Ukrainian state power distributor, had been affected by unidentified malware which caused significant operational disruption. Multiple security vendors and independent researchers subsequently identified the malware as a wormable ransomware variant with functional and technical similarities to Petya. Based on these similarities and continuing confusion, the malware has been dubbed Nyetya, Petna, ExPetr, and NotPetya, among others. It has been linked with a large number of infections, a significant proportion of which affected machines in Ukraine, though at the time of writing the overall number of infections is not known.
How NotPetya Works
Once installed, the malware functioned similarly to Petya, checking for the availability of Administrator privileges by using the Windows API AdjustTokenPrivileges function. If this was successful, the malware would overwrite the infected machine’s Master Boot record (MBR), rendering it unbootable. If this was not possible, AES-128 keys were used to encrypt each individual file, with the AES keys subsequently being encrypted using an RSA-2048 public key. To obtain the private RSA key necessary to recover the AES keys, victims were instructed to transfer $300 USD in Bitcoin to a specified Bitcoin ID and send their wallet ID and victim ID number in an email to a specified address.
With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Malicious intent is not synonymous with any single ‘class’ of threat actor, hacktivists ‘do it for the lulz”; nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure.
The technology behind this attack is well within the range of many hacktivists and cyber criminals, and so these details have less diagnostic value when considering the ‘who’. Although speculative, there are other factors to consider: the supply chain compromise, efforts at obfuscation, the geography that the malware was deployed in, and the timing of the deployment with Ukrainian national holidays. These point towards an attacker with political motivations behind the attack. It seems that the actor behind the NotPetya variant was politically motivated with an exceptional appetite to conduct cyber-attacks against specific organizations within the Ukraine target geography.
Sadly, cyber-attacks of this nature are not uncommon and so businesses, governments and of course consumers need to take steps to protect themselves against ransomware attacks.
The “basics” aren’t easy, but they should not be forgotten. Both NotPetya and the earlier WannaCry exploited basic and known security vulnerabilities, so segmenting networks and applying basic patching cycles will go a long way to mitigating threats such as this. This will go a long way in mitigating the ‘stray bullet’ factor outlined above.
Think about the soft factors. Defense is not just about technical indicators and warning anymore, ‘soft’ factors such as motivation and geostrategic issues are now not just ‘nice to haves’ but are increasingly critical in the response to malware like NotPetya.
Plan to fail. No amount of good security will entirely remove the risk posed by cyberattacks so it is critical to backup critical data and systems on a regular basis and ensure crisis management and comprehensive data recovery plans are in place and practiced. Extortion and destructive malware response should be in your incident response playbooks.
If you aren’t already doing so, think about the digital risks associated with your supply chain. Sure, not all suppliers are attack vectors for targeted attacks, but many suppliers do not have the mature levels of security. Regardless of the alleged culpability of MEDoc, the deployment mechanism does highlight the attention that we all need to start paying to supply chain compromise.
Defense in depth. Digital Shadows advocate using a ‘defense in depth’ strategy guided by four main principles: configuring host-based firewalls and using IP-whitelisting measures, segmenting networks and restricting workstation-to-workstation communication, applying patches and disabling unneeded legacy features, and restricting access to important data to only those who are required to have it.