Latest EternalBlue Attack: NotPetya is a wiper disguised as Ransomware

[WMGroomAK]

So in the latest use of the EternalBlue exploit kit that has been released to the wild, there is a new Ransomware that follows in the footsteps of the WannaCry ransomware being dubbed PetyaWrap.  So far this ransomware has hit several large companies across the globe, including Merck Pharmaceuticals, Maersk Shipping, DLA Piper and more...  The main differences between this ransomware attack and WannaCry is that this one is encrypting at the file system level as opposed to the individual files, it is stealing usernames and passwords from the systems and so far, there appears to be no kill switch.

 

https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/

Quote

According to researchers at Recorded Future, Tuesday's attacks appear to deliver two payloads. One is the new version of the Petya ransomware package. Tuesday's version, which some researchers have started calling PetyaWrap, holds data hostage until users pay $300 in Bitcoins. The other payload is an information stealer that extracts usernames and passwords from victim computers and sends the data to a server controlled by the attackers. That would mean that while an infected computer has been rendered inoperable by the ransomware, the attackers would already have access to potentially high-value credentials that were stored on the machine.

 

Researchers with AV provider Eset said in a blog post that unlike many ransomware packages, PetyaWrap doesn't encrypt individual files. Instead the encryption is aimed at a computer's entire file system. The ransomware targets the computer's master boot record, which is a crucial piece of data that allows a computer to locate its operating system and other key components.

 

Tuesday's attack spread widely almost immediately. It initially took hold in Ukraine, but soon it reportedly spread to Spain, France, Russia, and the United States. WPP, the British ad company, said on Twitter that some of its IT systems were hit by a cyber attack. It's website remained unreachable as this post was going live. Meanwhile, Reuters reported that Ukrainian state power distributor Ukrenergo said its IT system were also hit by a cyber attack but that the disruption had no impact on power supplies or broader operations.

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

Quote

Reports are coming fast and furious from multiple sources now, all reporting Petya's virulent nature, with some people reporting that the ransomware has locked down hundreds of computers on the same network in a matter of minutes.

 

So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much.

 

A past version of the Petya ransomware was decryptable, but we cannot confirm or deny at this stage that this version is also crackable. In the past, the author of the Petya ransomware, a crook named Janus Secretary, has offered a combo of the Petya and Mischa ransomware variants via a Ransomware-as-a-Service (RaaS) portal.

 

While WannaCry was stopped by a "killswitch" mechanism, this Petya version doesn't seem to be affected by such a weakness.

 

I guess this is a good welcome to the wild world of the future of exploits and not having your systems up to date with patches...  Of course, this may cause bitcoin prices to jump again.

 

EDIT Adding BitCoin Address:

 

Thanks to @The Benjamins for providing the below link to the BitCoin Blockchain address:

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

 

As of this edit, it appears to have collected about 2.14 Bitcoins worth of transactions...

 

EDIT 2: Thanks to @verytiny for bringing up an announcement from Posteo that they have blocked the email address that was being used and are working with local Federal Authorities.

https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday

 

In addition, one of the bits of information concerning how this bug is spreading listed on ArsTechnica consists of it using boobytrapped phishing emails and PSExec command line tools so that if it is able to penetrate a computer by any one vector, it can then spread throughout the network.

 

EDIT 3:  According to Bleeping Computers, security researchers has found a 'vaccine' to prevent system infection, but have not found a killswitch for the attack yet.  

 

https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

 

Quote

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you. 

There is a step-by-step on the article on how to do this, however, it is important to note that this is only for the current version of the ransomware.

 

At the same time, it is being strongly speculated that the initial infection may have originated from a tainted software package from Ukranian based M.E.Doc compromised by an unknown attacker.

 

https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/

 

UPDATE:  

Well this is interesting.  According to an update from Ars Technica, antivirus researchers are determining that this malware attack was not a ransomware attack but a wiper attack with the ransomware note as more of a red herring to try and throw people off.  Welcome to the digital nuclear arms race where pretty soon all countries will have digital WMDs and be threatening all the other countries with digital Mutually Assured Destruction of critical systems.
 
https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/

Quote

 Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data.
...
In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.
 
"The ransomware was a lure for the media," researcher Matt Suiche of Comae Technologies, wrote in a blog post published Wednesday. "This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon." He went on to write: "We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."
 
Suiche provided the above side-by-side code comparison contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible.

UPDATE 2: 

Not sure if this will be the last update, but there is some additional information coming out that a separate, smaller Ransomware attack occurred around the same time as the NotPetya attack that was coded to look similar to the WannaCry attack, however it did not employ any of the WannaCry NSA Exploits and was written in .Net as opposed to C.  Interestingly, this bit of Ransomware was discovered to be embedded in the M.E.Doc folder of the computer.  This would make for the fourth ransomware cyberattack to target the Ukraine heavily within the last month and a half as well as the fourth one to be deployed and tried to be passed off as a member of another malware family.

https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/

Quote

A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya.

 

The ransomware was discovered today by a security researcher who goes online only by the name of MalwareHunter.

 

The researcher says the ransomware got his attention because mostly Ukrainian victims were submitting samples for analysis on VirusTotal.

 

In the past month and a half, Ukraine has been bombarded with ransomware campaigns. The first was XData (mid-May), the second was PSCrypt (last week), and then NotPetya (started on Tuesday).

 

According to the researcher, this fourth ransomware campaign started on Monday, one day before NotPetya, and piqued his interest because of several reasons.

 

The one clue that stood out was the location of the ransomware's component, which was: "C://ProgramData//MedocIS//MedocIS//ed.exe"

 

This file path is specific to M.E.Doc IS-pro, a software application used for accounting in Ukraine. Both XData and the NotPetya ransomware outbreaks used the update servers of M.E.Doc to deliver their ransomware payloads. Microsoft, Kaspresky, Cisco, and other cyber-security companies have specifically pinpointed M.E.Doc software update servers as the source of the NotPetya outbreak.

It is unclear if this recently discovered ransomware reached users via a trojanized update from the same server or a trojanized M.E.Doc app installed from scratch.

 

Since the start of the NotPetya ransomware outbreak that affected countries all over the world, M.E.Doc has consistently denied that it ever hosted trojanized versions of its apps.

 

On Facebook, M.E.Doc says it enlisted the help of Cisco experts to clear its name and investigate what really happened on its servers. In an email to Bleeping Computer, the company also said it invited officers from the Department of Cyber Police to also investigate what happened.

 

While Cisco and Ukrainian authorities are looking into identifying the real culprit behind the M.E.Doc server hijacking, it's now becoming clear that there might be another ransomware that used the same server to infect victims, albeit with less successful results than NotPetya.

 

Edited June 29, 2017 by WMGroomAK
Updated information

[Mornincupofhate]

The only thing this does is leads to more "I use a mac because it can't get viruses"

[The Benjamins]

@WMGroomAK

Here is the BTC address in the picture, looks like $5000 has been payed so far to that address.

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

[verytiny]

the email address has been blocked

https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday

[AnonymousGuy]

If it's only encrypting the MBR then who gives a shit, it's easy to rebuild that.

[The Benjamins]

The BTC account is at $6,500 now

[WMGroomAK]

14 minutes ago, AnonymousGuy said:

If it's only encrypting the MBR then who gives a shit, it's easy to rebuild that.

If only it was that simple...  According to the Bleeping Computer article, it encrypts the Master File Tree tables and then overwrites the MBR with a custom bootloader that displays the ransom note and prevents the computer from rebooting.

[The Benjamins]

6 minutes ago, WMGroomAK said:

If only it was that simple...  According to the Bleeping Computer article, it encrypts the Master File Tree tables and then overwrites the MBR with a custom bootloader that displays the ransom note and prevents the computer from rebooting.

couldn't you run a data recovery software to scan the drive for files?

[captain cactus]

So exactly why are port control computers and nuclear station monitoring computers connected to any network that has an internet connection in the first place? That shit should be locked behind 4 doors with separate keys, all with armed checkpoints. Same goes for hospital computers. The only way to access files on any of these systems should be on-site, and the computers connected to that shouldn't have an internet connection.

[WMGroomAK]

4 minutes ago, The Benjamins said:

couldn't you run a data recovery software to scan the drive for files?

It might be possible...  My guess is that you would need to take that system completely offline in order to escape the new bootloader ransom note issue and then access the drive as a separate non-bootable drive in order to be able to even begin attempting recovery.  Not sure if it would be possible with drives in a RAID config though.  If anyone wants to test this out in a VM or on a dummy computer and let us know the results, I would like to hear about them, but I don't have the spare PCs to play with this.

[cj09beira]

i guess its time to unpower the nas again

[The Benjamins]

2 minutes ago, WMGroomAK said:

It might be possible...  My guess is that you would need to take that system completely offline in order to escape the new bootloader ransom note issue and then access the drive as a separate non-bootable drive in order to be able to even begin attempting recovery.  Not sure if it would be possible with drives in a RAID config though.  If anyone wants to test this out in a VM or on a dummy computer and let us know the results, I would like to hear about them, but I don't have the spare PCs to play with this.

I have VM's running but I don't have the virus

[ttam]

Just don't download and open stupid shit.

 

That's how you get infected.

[dfsdfgfkjsefoiqzemnd]

4 minutes ago, cj09beira said:

i guess its time to unpower the nas again

Yup, shutting mine down.  I do have very recent backups, but I'd rather not waste hours re-installing and re-configuring the NAS and copying 10+TB back to it.

[crosstiger]

If you use bitcoin, shouldn't you have some idea of how the internet works? Why do these people still pay?! Is humanity that desperate?

[ttam]

Unless you're actively getting silly malware infections on the daily, this isn't anything to worry about. 

 

People getting paranoid bringing down their storage.

[suicidalfranco]

why is russia hacking russia?

[mynameisjuan]

18 minutes ago, ttam said:

Unless you're actively getting silly malware infections on the daily, this isn't anything to worry about. 

 

People getting paranoid bringing down their storage.

 

Thats not true at all. Well known sites are getting compromised primarily by ads, or the lack of monitoring them. "Common sense browsing" is no longer a thing.

[2FA]

18 minutes ago, crosstiger said:

If you use bitcoin, shouldn't you have some idea of how the internet works? Why do these people still pay?! Is humanity that desperate?

Most of the people who pay don't actually use Bitcoin normally, that and it tends to be companies that need their data.

[ShardZ1]

Damn those are some really big companies that got hit. Brutal.

[dfsdfgfkjsefoiqzemnd]

 

Wouldn't like to be that store's IT guy ...

[mynameisjuan]

6 minutes ago, Captain Chaos said:

 

 

Wouldn't like to be that store's IT guy ...

Id be fine with it. If the IT staff had half a brain they would have backups and images ready to deploy. Could have all systems back up and running within 30 mins

[crosstiger]

20 minutes ago, DeadEyePsycho said:

Most of the people who pay don't actually use Bitcoin normally, that and it tends to be companies that need their data.

That doesn't sound better at all, if even a group of people still won't get it... Sad sad situation

[2FA]

1 minute ago, crosstiger said:

That doesn't sound better at all, if even a group of people still won't get it... Sad sad situation

Never said it was better.

[GoodBytes]

E-mail used by the ransomware has been disabled by the mail provider. Those who pay will not get their system decrypted.

https://www.theverge.com/2017/6/27/15881110/petya-notpetya-paying-ransom-email-blocked-ransomware

Quote

After thousands of infections, the new Petya ransomware has run into its first major problem, as a German email provider has blocked the email account the virus was using to manage ransom demands. Victims should be advised not to pay into the wallet, since it’s unlikely the attackers can successfully decrypt systems at this point.

The problem is caused in part by Petya’s unorthodox method for collecting ransom payments. Most ransomware programs create a unique wallet for each infection, making it easy to know which victim is responsible for each payment. But Petya broke with that practice, asking every victim to send their $300 payment to the same single bitcoin wallet, then send an email to wowsmith123456@posteo.net with a unique identifier to confirm payment and receive the decryption keys.

 

But in the wake of today’s globe-spanning infections, Posteo announced today that all account access to the “wowsmith” address have been blocked, making it impossible for the group to read or respond to any messages sent to the address.