Here’s a deep dive on the recent NotPetya malware attacks and a peek at what future cyberattacks could look like.
Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?
Any other details or context?
Doing taxes is generally painful enough, but recently users of Ukrainian tax and accounting software MEDoc had an even rougher tax time experience than usual when an update to the software infected their computers with ransomware.
At first glance, it looks like another ransomware called Petya, but a closer look at the infectious code makes it quite obvious that this is NotPetya.
In fact, despite the masquerade, it’s not really even ransomware. Instead, it’s the slightly more insidious cousin: malware.
Let’s take a closer look at this latest cyber attack and what it might mean for the future.
How NotPetya Spread
NotPetya garnered its name because it uses the ransomware platform of Petya, even though it is an almost completely different and far more intelligent program.
In many ways, it is actually more like WannaCry, the malware that garnered attention in May of this year. Both programs take advantage of the Eternal Blue or Eternal Romance exploit, which remains unpatched on many computers. The two programs also have similar search patterns.
That last feature is a clue that this could be the work of the Lazarus Group, which puts them on a shortlist of likely candidates and potentially implicates North Korea.
Also like WannaCry, although it acts like ransomware with prompts to a bitcoin account, the design of the ransom request is so clumsy that it seems unlikely that money is the real end goal.
Also interesting is that—unlike Petya and WannaCry—NotPetya doesn’t propagate across the internet. It appears to originate exclusively from the tainted update to the tax software and spreads through the infected company.
How NotPetya Attacks
Once the infected update hits the target computer, it attacks the DLL file and copies itself into memory. Its first order of business is anti-forensics; specifically, it writes a bunch of 0s into the DLL file before deleting the whole thing to better cover its tracks.
The next step is propagating through the share drives. The malware dumps existing credentials out of memory using an interface to local security administrative servers. Then, it pushes itself to remote share drives where it escalates privileges and executes itself.
In a nutshell, it’s far more sophisticated than typical ransomware.
Current Damage Levels
Given that the Typhoid Mary tax software deals specifically with Ukrainian taxpayers, that nation was the hardest hit. Multiple companies caught the disease, including Kiev’s airport and the automated systems at Chernobyl.
However, other companies with a reason to pay taxes in Ukraine caught it, too. This includes a Russian oil company, a Danish shipping company, an American pharmaceutical company, and a Tazmanian Cadbury factory.
The impact wasn’t as broad as, for instance, WannaCry, but what it hit, it affected significantly.
There are three types of cyber attack seen today, and chances are good that they’re only going to increase in frequency and sophistication.
For starters, data breaches have become so common that if the media reports on them at all, it probably won’t make the front page. As long as these attacks continue to turn a profit, we’ll certainly keep seeing them.
Then there’s ransomware like Petya. These attacks will likely not only continue but also improve, or at least grow in sophistication, as criminals begin making more obvious and targeted attacks on backups.
Finally, the most worrisome attacks are against national critical infrastructure. Nation-state actors are getting a bit bolder and far more sophisticated. NotPetya may look like a ransomware, but many investigators see it as a nation-state attack that could just be a harbinger of things to come.
NotPetya wasn’t the most devastating cyber attack to date, due to its relatively narrow target.
However, this malware masquerading as ransomware shows that these attacks are getting steadily more sophisticated, and it points to a troubling trend towards infrastructure sabotage that could be as devastating as any natural disaster.
You can find this interview, and many more, by subscribing to Defrag This. Listen to the episode that this post was based on here.