I cover crime, privacy and security in digital and physical forms.
The world is suffering another ransomware nightmare today, with pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, an airport, and banks all affected. One U.S. hospital also appears to have become a victim. Worse is expected to come, thanks to some pernicious features in the ransomware sample.
The malware widely believed to be responsible is called Petya… or NotPetya. It’s similar to Petya, but different enough that researchers are saying it’s an entirely new form of ransomware, researchers say. Backing Petya up is an exploit method borrowed from a leaked NSA hack called EternalBlue, the same WannaCry used to infect hundreds of thousands and take down hospital networks.
That’s cause for embarrassment amongst infected companies: Microsoft released a patch earlier this year that prevented any EternalBlue hacks, even pushing out updates for older, unsupported Windows systems like XP. Businesses should have patched by now, especially given the carnage WannaCry caused.
But NotPetya has some extra powers that security experts say make it deadlier than WannaCry. Whilst EternalBlue has allowed it to spread via a weakness in Windows’ SMB, it has other tools for moving at speed across networks. For instance, according to former NSA analyst and cybersecurity entrepreneur David Kennedy, the ransomware finds passwords on the infected computer itself to move to other systems. It does that by extracting passwords from memory or from the local filesystem itself, he explained.
“This is going to be a big one. Real big one,” Kennedy added.
On top of that, another proliferation technique is NotPetya’s abuse of PsExec, a tool usually used for carrying out limited actions on other systems, but in this case for simply spreading the infection by executing malicious code on other computers it can access. For instance, if the infected PC has administrator access to the network, every computer can become infected. A similar method is used by NotPetya with the Windows Management Instrumentation (WMI) tool, according to security expert Kevin Beaumont.
“This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched,” said ESET researcher Robert Lipovsky. “It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
Perhaps most crucially, thanks to all these added features, the new strain will infect the latest and even patched Windows PCs, including version 10, as one IT professional noted in a blog, whereas WannaCry worked largely on older systems. A Microsoft spokesperson said the company was aware of the reports and was investigating.
It appears to be the work of a professional group too, unlike WannaCry, which was full of bugs and had a killswitch that was turned on by a British security researcher and effectively killed off (though more infections occurred just last week…). There is no obvious killswitch with NotPetya, which Kaspersky said has infected at least 2,000 organizations across the globe, including Ukraine, Russia, the U.K. and America.
That professionalism might come from Petya’s birth in the bustling, highly technical cybercriminal underground. Jakub Kroustek, Threat Lab Team lead at Avast, said: “One of the perfidious characteristics of Petya ransomware is that its creators offer it on the darknet with an affiliate model which gives distributors a share of up to 85% of the paid ransom amount, while 15% is kept by the malware authors.” This kind of “ransomware-as-a-service” has been a growing concern of late, given it opens up the crime to a non-technical audience.
Whatever the class of criminal behind today’s outbreak, they’ve had a good pay day, though not an astounding one. At the time of publication, 22 payments had been made to 2.39818893 Bitcoin, worth around $5,515.
Anyone even considering paying them to unlock their computers should reverse course, however: the email account set up to provide keys has been shut down by the provider, Posteo. Thanks to that, there’s no obvious way of recovering files without backups.