5 years after NotPetya: Lessons learned | #malware | #ransomware

Credit: Dreamstime

On June 27, 2017, the eve of Ukraine’s Constitution Day holiday, a major global cyber attack was launched, infecting more than 80 companies in that country using a brand-new cyber pathogen that became known as NotPetya. 

NotPetya didn’t stay within Ukraine’s borders but spilled out to infect and cause havoc for thousands of organisations across Europe and worldwide.

NotPetya was so named because it was similar to but different from Petya, a self-propagating ransomware virus discovered in 2016 that, unlike other nascent forms of ransomware at the time, was incapable of being decrypted. In another departure from the earlier forms of ransomware, Petya also overwrote and encrypted master boot records and was, therefore, considered more a form of wiper malware than bona fide ransomware.

Phony ransomware that propagated easily

Like Petya, its successor NotPetya was not actual ransomware because it could not be decrypted, with the attackers masquerading behind a fake $300 ransom demand to provide cover for what turned out to be its actual destructive purposes. 

NotPetya emerged five weeks after another dangerous piece of fake ransomware, WannaCry. Considered to be a true “cyberweapon,” NotPetya shared with WannaCry the use of EternalBlue, a cyber tool developed by and stolen from the U.S. National Security Agency (NSA).

Using Eternal Blue, NotPetya exploited a vulnerability in Windows’ Server Message Block (SMB) protocol, a flaw that Microsoft patched months earlier in Windows 10. Nonetheless, all it took for the malware to spread was a single unpatched Windows 10 computer or a PC with an old version of Windows within an organisation. 

Working in tandem with EternalBlue was another powerful tool, an old security researcher tool called Mimikatz that could pull passwords out of memory. The two tools together allowed the attack to move from machine to machine.

Highly contagious malware from Russia’s GRU

Although some experts considered NotPetya a variant of Petya, the two pieces of malware are generally regarded as separate and distinct, particularly considering how they propagate. NotPetya was far more contagious than Petya, seemingly with no way to stop it from quickly spreading from one host to another.

As NotPetya expert and journalist Andy Greenberg documented, NotPetya crippled shipping giant Maersk, pharmaceutical company Merck, Fedex’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser. 

Altogether the malware caused more than $10 billion worth of global damage. The source of NotPetya was a group of Russian GRU agents known as Sandworm or Unit 74455, believed to be behind a 2015 cyber attack on the Ukrainian power grid, among other damaging cyber incidents.

CSO asked two experts who grappled with the fallout of NotPetya five years ago how they view the 2017 cyber attack in retrospect and what corollaries it might hold for the present-day war by Russia against Ukraine.

Ransomware as a weapon of war

Amit Serper, who was a principal security researcher at Cybereason when NotPetya struck and is now the director of security research at Sternum, was the first person to develop a workaround that disabled NotPetya. 

Original Source link

Leave a Reply

Your email address will not be published.

+ 27 = thirty three