<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Defrag This - NotPetya: Is it for the Money or the Infrastructure?

Greg Mooney| July 21 2017

| Podcasts, security

Here’s a deep dive on the recent NotPetya malware attacks and a peek at what future cyberattacks could look like.

iTunes | Stitcher | Google Play | TuneIn Radio | SoundCloud


 
 
 
 
 
18:02
 
 
 
18:02
 
 
 
 
 
 
 
 
 
 
Wistia video thumbnail - Defrag This - Episode 14 - NotPetya
15:50
 

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?

Cancel
message
 
 
 
 
 
 
 

Doing taxes is generally painful enough, but recently users of Ukrainian tax and accounting software MEDoc had an even rougher tax time experience than usual when an update to the software infected their computers with ransomware.

At first glance, it looks like another ransomware called Petya, but a closer look at the infectious code makes it quite obvious that this is NotPetya.

In fact, despite the masquerade, it’s not really even ransomware. Instead, it’s the slightly more insidious cousin: malware.

Let’s take a closer look at this latest cyber attack and what it might mean for the future.

How NotPetya Spread

Defrag_This_-_14_NotPetya_(blog_post_image_1).jpg

NotPetya garnered its name because it uses the ransomware platform of Petya, even though it is an almost completely different and far more intelligent program.

In many ways, it is actually more like WannaCry, the malware that garnered attention in May of this year. Both programs take advantage of the Eternal Blue or Eternal Romance exploit, which remains unpatched on many computers. The two programs also have similar search patterns.

Listen: Defrag This - WannaCry

That last feature is a clue that this could be the work of the Lazarus Group, which puts them on a shortlist of likely candidates and potentially implicates North Korea.

Also like WannaCry, although it acts like ransomware with prompts to a bitcoin account, the design of the ransom request is so clumsy that it seems unlikely that money is the real end goal.

Also interesting is that—unlike Petya and WannaCry—NotPetya doesn’t propagate across the internet. It appears to originate exclusively from the tainted update to the tax software and spreads through the infected company.

How NotPetya Attacks

Once the infected update hits the target computer, it attacks the DLL file and copies itself into memory. Its first order of business is anti-forensics; specifically, it writes a bunch of 0s into the DLL file before deleting the whole thing to better cover its tracks.

The next step is propagating through the share drives. The malware dumps existing credentials out of memory using an interface to local security administrative servers. Then, it pushes itself to remote share drives where it escalates privileges and executes itself.

In a nutshell, it’s far more sophisticated than typical ransomware.

Current Damage Levels

Given that the Typhoid Mary tax software deals specifically with Ukrainian taxpayers, that nation was the hardest hit. Multiple companies caught the disease, including Kiev’s airport and the automated systems at Chernobyl.

However, other companies with a reason to pay taxes in Ukraine caught it, too. This includes a Russian oil company, a Danish shipping company, an American pharmaceutical company, and a Tazmanian Cadbury factory.

The impact wasn’t as broad as, for instance, WannaCry, but what it hit, it affected significantly.

Future Problems

There are three types of cyber attack seen today, and chances are good that they’re only going to increase in frequency and sophistication.

For starters, data breaches have become so common that if the media reports on them at all, it probably won’t make the front page. As long as these attacks continue to turn a profit, we’ll certainly keep seeing them.

Then there’s ransomware like Petya. These attacks will likely not only continue but also improve, or at least grow in sophistication, as criminals begin making more obvious and targeted attacks on backups.

Finally, the most worrisome attacks are against national critical infrastructure. Nation-state actors are getting a bit bolder and far more sophisticated. NotPetya may look like a ransomware, but many investigators see it as a nation-state attack that could just be a harbinger of things to come.

Defrag_This_-_14_NotPetya_(blog_post_image_2)-1.jpg

Conclusion

NotPetya wasn’t the most devastating cyber attack to date, due to its relatively narrow target.

However, this malware masquerading as ransomware shows that these attacks are getting steadily more sophisticated, and it points to a troubling trend towards infrastructure sabotage that could be as devastating as any natural disaster.

This post is based on an interview with Scott Foote, CEO of Protinuum.

You can find this interview, and many more, by subscribing to Defrag This. Listen to the episode that this post was based on here.

Topics: Podcasts, security

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Greg Mooney

Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.