Massive, fast-spreading fake-ransomware hits BIG #Petya/#NotPetya

Oops, your important files are encrypted. Or at least, they are if your organization is among the countless victims of this week’s ransom-demanding malware.

Update: What appears to be ransomware now appears to be a destructive wiper, with no hope of data recovery.

But forget WannaCry; this one’s a doozy. With multiple vectors and mesmerizing velocity, what's been dubbed Petya (more on that later) has been causing headaches for IT and security mavens worldwide overnight.

If you see this text, then you’re reading this week’s Security Blogwatch, in which we want to cry (again).

Your humble blog watcher curated these bloggy bits for your entertainment. Not to mention: Feeling cranky?

What’s the craic? Nicole Perlroth, Mark Scott and Sheera “princess of power” Frenkel tag-team to type Cyberattack Hits Ukraine Then Spreads Internationally:

Computer systems from Ukraine to the United States were struck … in an international cyberattack … similar to a recent assault. … Workers were forced to manually monitor radiation at the old Chernobyl nuclear plant. … Tech managers at companies around the world—from Maersk … to Merck …—were scrambling to respond.

The outbreak was the latest … in a series of attacks making use of … hacking tools … stolen from the National Security Agency. … The new attack used the same [NSA] hacking tool, Eternal Blue, that was used in the WannaCry episode. … The vulnerability … used by Eternal Blue was patched by Microsoft in March. [And] Microsoft … said the company’s latest antivirus software should protect against the attack.

Multinational law firm DLA Piper … reported being hit. Hospitals in Pennsylvania were being forced to cancel operations. … Computers in a Cadbury chocolate factory … in Hobart [Australia] had displayed ransomware messages that demanded $300 in bitcoins.

The hackers behind Petya demanded $300 worth of … Bitcoin to unlock victims’ machines. [But] victims may be out of luck, after Posteo, the German email service provider, shut down the hackers’ email account.

Feeling complacent? John Leyden jars us awake[You're fired -Ed.]

There are also reports that the payload includes … a banking Trojan that extracts usernames and passwords from compromised computers. This means this attack … could [also] steal valuable information that an attacker can take advantage of during the confusion.

But what’s going on in Ukraine? Be careful not to assume malice, says i1ya:

My beloved country … Ukraine, is famous for pirated Windows and nihilist admins who often deliberately don't install patches. The horse [bolted] two months ago when "Wanna Cry" was all over the news; but to some people, it's never enough to finally lock the barn door.

People have been calling it a variant of the Petya malware. Is that right? Yevgeny Valentinovich Kaspersky thinks not:

Our investigation is ongoing and our findings are far from final. … Despite rampant public speculation.

To capture credentials for spreading, the ransomware [extracts] credentials from the lsass.exe process [which] are passed to PsExec … or WMIC for distribution. … Other observed infection vectors include a modified EternalBlue exploit [and] the EternalRomance exploit.

The malware waits for 10-60 minutes after the infection to reboot the system. [Then] it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader.

Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines … are then attacked.

So this is bad then? Matt Suiche offers What we know so far:

Yes, this is bad—real bad. … No kill-switch this time (& stop hoping for one).

Have a backup strategy. This is your best strategy against the rising threats of ransomware. [And] have a worse case scenario plan. Companies need incident response and recovery plans.

Did someone say “RaaS”? Duncan Riley drives the point home:

The malware … creating headlines as it infects computers worldwide, is being offered as a ransomware-as-a-service product. [It] even comes complete with an affiliate program.

Israeli security firm IntSights Cyber Intelligence [alleged] Janus, the organization behind the ransomware, “created an affiliate program by which amateur hackers can help to distribute ransomware and get paid for that service, in return for 85 percent of the ransom payments (Janus keeps the rest).”

But wait, is it still speading? Salim Neino says it's dead but still dancing:

The domains which presumably deliver the payload … are not currently serving the payload and are down. … This does not eliminate, however, other attack vectors. … This may just be an eye of the storm, and we can easily see this malware campaign continue.

If you have a single PC which is not patched … and it contains a system with shared [AD] domain credentials. … this could result in a massive compromise … even if all of the rest of the PCs are up to date and patched. … We have aggregated sinkhole data [and] there are still a significant amount of … systems worldwide potentially vulnerable to EternalBlue.

Would you like syrup with that? Lesley “@hacks4pancakes” Carhart tweets

This is like every week in 2017 in infosec blue team. ...

Everybody goes after the flashy flashy, but the tried and true simple abuse of admin tools is reliable, harder to block, and quieter.

Weekly reminder to not patch-shame industries who use devices that can't be patched.

Following the trend of attacks getting more effective by living off the land. WMI and psexec used in NotPetya. Ouch. Brace yourselves.

There's a lot of FUD floating around about #NotPetya right now. Patching Windows is not a silver bullet.

How are IT people reacting? Here’s Colin Scott’s horrifying summary of events:

We assume 1 PC was infected, [and] that machine provided the virus with some credentials. … Over time, it must have picked up Domain Admin rights as it spread.

We were pretty patched up against MS17-010, obviously mustn't have been 100%. … If 1 single PC gets infected and the virus has access to Domain Admin credentials then you're done already.

How do you even protect against this in future? Block all domain admins from logging on to workstations would be a start, but … proper demarcation of rights is needed. … We do have tiered admin access. I suspect it's not controlled enough or monitored well enough. Lessons will be learned.

Maybe now we'll get some real traction … and be able to protect ourselves better in future.

But meanwhile, oops. Dave “@gattaca” Lewis did it again:

So, does this latest #ransomware have a name? Might I suggest "OopsEncyptedAgain" or "Spears Attack"?

Watching a non-technical commentator on CNN discussing the latest attacks is reminiscent of a penguin attempting Pagliacci.

And the last word? It goes to the ever-divisive Edward Snowden:

Listen, people can disagree on surveillance. But when [The NSA's] focus on offense over defense shuts down US hospitals, it's time to act.

Update: It seems “ransomware” isn’t the best description. As Anton Ivanov and Orkhan Mamedov explain, ExPetr/Petya/NotPetya is a Wiper, Not Ransomware:

The threat actor cannot decrypt victims’ disk, even if a payment was made. … It appears it was designed as a wiper pretending to be ransomware.

This reinforces the theory that the main goal…was not financially motivated, but destructive.

ORLY? Matt Suiche agrees—Petya.2017 is a wiper:

The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money.

The key generated itself on the screen is fake. … We believe the ransomware was in fact a lure to control the media narrative. [It] is in our opinion a very subtle way [by] the attacker to control the narrative of the attack.

The plot thickens. As does Rik Ferguson’s amazing hair—The Law of Unintended Outbreak:

Some of the…prominent global victims, WPP, Maersk and Saint-Gobain for example, all have offices and operations in Ukraine. … It seems that this cyber-attack is following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine.

The creators of this particular malware…are clearly skilled and experienced. [But] it’s almost as if [they] never intended to reap the financial rewards.

The moral of the story? Don’t rely on boundary security alone—invest in layered defenses. And no matter how strong your defenses, back up, already—but don’t forget to test your disaster-recovery plans.

State of Security Operations 2018

And finally …

Bringing back the vehicle crank-starter, 21st-century style

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or

State of Security Operations 2018
Topics: Security