Everything you wanted to know about NotPetya but were afraid to ask

Positive Technologies researchers present detailed analysis of new malware and recommendations on how to stay safe

Hot on the heels of last month's WannaCry attack, new ransomware called NotPetya surfaced on 27 June, striking more than 80 companies across Ukraine and Russia. This latest attack, however, is not at all connected with WannaCry.

Among the victims are Ukrainian and Russian companies, including Nova Poshta, Zaporozhyeoblenergo, Dneproenergo, Oschadbank, TRK Lux, Mondelēz International, TESA, Nivea, Mars, mobile operators LifeCell, UkrTeleCom, and Kyivstar, as well as many others. In Kiev, some ATMs and payment terminals were infected as well. The first attacks were detected in Ukraine.

Our researchers' analysis of the ransomware showed that NotPetya encrypts the master boot record (MBR) of the hard disk and overwrites it. The MBR is the first sector on any hard disk and contains a partition table and a loader, which uses the table to determine which partition to boot from. The original MBR is saved to sector 0x22 of the disk and is encrypted by byte-wise XORing with 0x07.

After a malicious file is opened on the target computer, the malware creates a task to restart the computer with a delay of 1–2 hours. During this short window, it is possible to run the bootrec/fixMbr command to restore the MBR and the operating system. This allows starting up the system even after it has been compromised, but does not help with decrypting files.

A unique AES key is generated for each disk. This key remains in memory until encryption is completed. It is encrypted using a public RSA key and then deleted. After encryption is complete, the user's data cannot be recovered without the corresponding private key. Files are encrypted to a depth of 15 folders maximum; files that are nested deeper than 15 folders seem to be safe (at least from the current version of the ransomware).

If the disk is successfully encrypted, the computer restarts and a message is displayed on screen, demanding a ransom of $300 (approximately 0.123 bitcoins as of June 27, 2017 for the decryption key. Victims are asked to transfer funds to Bitcoin wallet 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX. A few hours after the attack began, the wallet was receiving transactions with the requested amount—some victims preferred to pay the ransom without waiting for researchers to analyze the malware and come up with a file recovery tool.

Within a few hours, the number of transactions tripled.

Resilient and able to spread rapidly

NotPetya uses TCP ports 135, 139, and 445 to spread using SMB and WMI services. Spreading to other hosts on a network occurs in several ways: Windows Management Instrumentation (WMI) and PsExec, as well as an exploit of vulnerability MS17-010(EternalBlue). WMI is a technology for centralized management and monitoring of Windows-based infrastructure. PsExec is widely used for Windows administration and allows running processes on remote systems. However, WMI and PsExec require local administrator privileges to run, which means that NotPetya can spread only from computers on which users have maximum OS privileges. The EternalBlue exploit allows gaining maximum privileges on an affected system. The ransomware also uses the publicly available utility Mimikatz to obtain credentials of all Windows users in plaintext, including local administrators and domain users. This diverse toolkit enables NotPetya to spread even on up-to-date infrastructures where the lessons of WannaCry were heeded, which is what makes the ransomware so effective.

During penetration tests of corporate infrastructures, Positive Technologies pentesters regularly see vulnerability to the EternalBlue exploit (44 percent of audits to date in 2017), as well as successful use (in every audit) of Mimikatz to develop an attack and gain full control of a domain.

In effect, NotPetya has the ability to "snowball" and infect one computer after another. This allows the ransomware to also compromise the domain controller, and to even gain control of all hosts on a domain—a full compromise of infrastructure.

How to determine whether you've been infected by NotPetya or WannaCry

We have already published an analysis of the WannaCry attack and recommendations on how to identify vulnerable systems and handle infections. Positive Technologies has released a free utility, called WannaCry_Petya_FastDetect, for easy detection of WannaCry and NotPetya. Users of Positive Technologies products are already protected:

  • MaxPatrol detects this vulnerability in both Audit and Pentest modes. Detailed instructions are provided in our recommendations.
  • MaxPatrol SIEM already contains correlation rules for detecting NotPetya attacks.
    • Positive Technologies researchers have identified a kill switch that can be used to disable NotPetya locally. If NotPetya has administrative privileges in the operating system, then before overwriting the MBR, the ransomware checks for the perfc file (or another empty file with a different name) without an extension in the C:\Windows\ folder (this folder is hardcoded). This file has the same name as the .dll library of the ransomware, but without the file extension.

      The presence of such a file in C:\Windows\ may be an indicator of compromise. If the file is present in this folder, malware execution stops—so creating a file with the correct name can stop NotPetya, as long as the infection is still in its beginning stages.

      If NotPetya does not detect such a file, the file is created, and malware execution starts. Presumably, creating such a file is needed to prevent the MBR overwriting process from starting repeatedly.

      On the other hand, if NotPetya does not initially have administrative privileges, it will not be able to check for an empty file in the C:\Windows\ folder. In this case, file encryption will still start but without overwriting the MBR and restarting the computer.

      What to do if you have fallen victim to NotPetya

      If your system is already infected, we do not recommend paying money to the attackers. The attackers' email address (wowsmith123456@posteo.net) has been blocked, and even if you pay, it is highly unlikely that you will receive a key for decrypting your files.

      To prevent the ransomware from spreading on your network, turn off computers that have not been infected, disconnect infected computers from the network, and make images of the disks of infected computers. If researchers find a way to decrypt the files, this data may be recovered in the future. In addition, disk images can be used to analyze the ransomware, which will help researchers in their work.

      How to stay safe from NotPetya and other threats

      • Companies should regularly train employees to improve awareness of information security issues, including social engineering. Follow up to make sure that training is bringing the necessary results.
      • Install antivirus software that cannot easily be disabled: self-protection should require a special password for disabling or changing antivirus settings.
      • Minimize user privileges.
      • Regularly update software and operating systems on all hosts on corporate infrastructure. Implement a consistent process for managing vulnerabilities and updates.
      • Information security audits and penetration tests are essential for timely detection of protection deficiencies and vulnerabilities.
      • Monitor the corporate network perimeter continuously. Limit Internet-accessible network service interfaces and adjust firewall configurations in a timely manner.
      • To quickly detect and respond to attacks, monitor internal network infrastructure, such as with a SIEM system.

      The following indicates a NotPetya infection:

      • Presence of the file C:\Windows\perfс
      • A task in Windows Scheduler with an empty name and action (reboot) "%WINDIR%\system32\shutdown.exe /r /f"

      IDS/IPS rule triggers for NotPetya detection:

      • msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001254; rev: 2
      • msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; sid: 10001255; rev: 3
      • msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; sid: 10001256; rev: 2
      • msg: "[PT Open] Petya ransomware perfc.dat component"; sid: 10001443; rev: 1
      • msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; sid: 10001444; rev:1

      Signatures for NotPetya detection: