WannaCry About NotPetya?

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and thanks for joining us for episode 14 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

As we pass the midpoint of 2017, we’ve had several high-profile malware attacks so far this year. Two of the biggest have been WannaCry, the ransomware attack that went worldwide in May, and NotPetya, the destructive campaign that targeted Ukraine in June. Observers are still settling on a final name for NotPetya, by the way. It’s being called Petya, Nyetya, and GoldenEye, but for this show, we’re going to go with NotPetya.

Allan Liska is back to provide some of his insights into WannaCry and NotPetya. He’s a senior solutions architect at Recorded Future and co-author of the book “Ransomware: Defending Against Digital Extortion.” Stay with us.

Allan Liska:

WannaCry was an unsophisticated attack, but it happened to hit a number of organizations that were unpatched. It was extensively a ransomware attack, although to date, the ransom that has been collected has not been withdrawn, which is highly unusual for that type of attack. It took advantage of the EternalBlue exploit that was released by Shadow Brokers. On these unpatched networks it was able to spread throughout the networks, spreading the ransomware that was tied to it. Some have speculated that it was a proving ground to prove that this type of attack could work and essentially turn a ransomware attack into a highly disruptive worm, but we don’t have any confirmation of that.

Dave Bittner:

When you say it was unsophisticated, what are the components that lead you to that conclusion?

Allan Liska:

A good question. The ransomware itself wasn’t very sophisticated. The delivery methods weren’t very sophisticated. Really, the only thing sophisticated about it was the exploit from Shadow Brokers. That was, again, publicly available. It was somebody that bolted on a sophisticated exploit into an unsophisticated attack. They happened to get lucky to the point where they infected hundreds of thousands of victims. For those hundreds of thousands of victims, they actually collected relatively little ransom. Not just in terms of pure dollar amount, but in terms of percentage of successfully infected victims. They actually didn’t collect very much money. I think the last count I saw there was a little over $100,000 tied to that particular bitcoin wallet.

Dave Bittner:

This was primarily taking advantage of unpatched systems, yes?

Allan Liska:

That’s correct, right. Looking for systems that hadn’t applied the Microsoft MS 17.10 security bulletin patch. There were two types of systems: the unpatched systems, and then there were the deprecated systems like Windows XP, which Microsoft did not have a patch for until after this attack came out. There were apparently a lot more of those systems still running than Microsoft anticipated.

Dave Bittner:

When this happened, certainly there was a lot of hullaballoo about it. It certainly caught everyone’s attention. People were saying that perhaps we dodged a bullet with this one.

Allan Liska:

Yes, absolutely. Had you taken this type of exploit and this type of delivery mechanism and then added on a real ransomware family, had this been done with a Locky, or a server, or Spora, or one of the more sophisticated ransomware families with a more sophisticated system attached to it … payment system and delivery mechanism, and so on, it could have been a lot more damaging in terms of cost to businesses and so on.

Dave Bittner:

It seems as though, perhaps, that the creators of WannaCry really didn’t expect it to spread as far and wide as it did.

Allan Liska:

No, no. I think I’ve used this example before. It’s like if you’re a petty criminal and you go to rob a 7-11, and it turns out that you’ve actually hit Fort Knox. They’re not capable of handling that type of success. They don’t know what to do with that.

Dave Bittner:

Let’s move on from WannaCry and let’s talk about the attack that we haven’t really settled on a name yet. Some people are calling it Petya, some people are calling it NotPetya. Take us through the discovery and sort of realizations with this latest one.

Allan Liska:

I hate to get involved in naming conventions. As cybersecurity people, I think we’re all curmudgeonly. We hate the fact that we have to name everything, but then we also hate it when we don’t have a name that we can all agree on. In general, everybody just gets frustrated with everything.

There is definitely some of the original Petya components to this ransomware. The Petya ransomware has been around and morphed over the last year and a half pretty significantly. In fact, the most recent version of the Petya ransomware that was released in March, actually had some RDP capabilities. It had some of the underpinnings of what this ransomware attack had. The source code’s been floating around in underground markets for a while. While certainly the group that ran this particular attack is not the same group that launched the original Petya attack, there’s definitely some components of that ransomware in here.

Petya’s a little bit more of a sophisticated ransomware. Still not a tier-one ransomware. Maybe like a tier-two or tier-three type ransomware. In this case, it looks like the ransomware here was a diversion compared to everything else that was being done in the attack. Now that being said, unlike the WannaCry attackers, the NotPetya attackers or the Nyetya attackers, depending on which term you like, have withdrawn the ransom as of this morning. It’s only $10,000. Again, very low-success attack in this case, in terms of ransom.

Dave Bittner:

It turns out that NotPetya is not actually ransomware. Like you said, that’s a diversion. What does it seem like they’re really after?

Allan Liska:

It’s a really good question. I don’t know that we know for sure what the answer is yet. But, we know that there were two components to this attack. The first is the ransomware component, and then there’s information stealing. A lot of people originally thought it was the Locky information stealer, but that doesn’t seem to be the case. Nonetheless, there was an information-stealer trojan included as part of this attack.

Now, the initial use of this attack: this also was a worm-style ransomware. It had two ways of spreading. The first was, it used the EternalBlue exploit. It had that exploit tied into it. It turns out a lot of organizations actually have it patched. That part wasn’t as successful. The second component was, it would use the information stealer to collect credentials on the local box on which it landed. Then, it would use WMI tools to spread from one machine to another in the network. First, it would do a scan to see what else is there. Then, it would use WMI tools and it downloaded Microsoft PsExec tool as part of its initial payload. It would download PsExec to spread itself from box to box to box throughout the network.

Ostensibly, that is to deploy the ransomware, but considering how low success the attackers had with the ransomware itself in terms of getting payments, there’s a pretty good bet that there was other information that it was taking while it was in there. I haven’t seen any evidence as far as what it was trying to take, but it was able to gather evidence … as the information stealer was able to gather evidence.

Dave Bittner:

Is it exfiltrating that data? Is there a place that we figured out where it’s sending it to?

Allan Liska:

Nothing that I’ve seen yet. It may not be. It may have just been a test run for the capabilities. We’re still taking it apart and so on. No one’s found any command and control host. It doesn’t appear to be one inside of the code itself. It may have just been a test run to see if it can grab the information and use that to spread throughout the network. Or there may be something else that we haven’t seen yet.

Dave Bittner:

What amount of that sort of novel way that this was distributed through a software update?

Allan Liska:

It’s interesting because it’s actually not new. This has been the primary way that malware’s delivered on Macs for a while. Apple’s done a fairly good job of locking down the operating system. The way that bad guys have been infecting a lot of Apple machines is by presenting itself as part of a download for an update or for a piece of software. This is just sort of taking that methodology and using it as delivery mechanism. Of course, the fact that they chose this MeDoc accounting software, which, according to reports, is required for every business in the Ukraine to run for tax purposes, indicates that this attack was highly targeted towards targets in the Ukraine, towards organizations in Ukraine.

Dave Bittner:

There’s this notion that perhaps beyond that targeting it sort of escaped accidentally?

Allan Liska:

That would be, yes. We live in a very interconnected world. WannaCry would actually scan active net blocks out on the internet, looking for vulnerable hosts. Whereas, the Nyetya is not scanning external net blocks. It’s only looking for internal net blocks. Because we’re such an interconnected world, that means that an organization in Ukraine that has an office in France or has providers in France, Spain, or the United States that are VPN’d into that network can also be vulnerable to attack by this software.

Dave Bittner:

Looking at things like WannaCry and NotPetya, I think that there’s this tendency to sort of brace ourselves for the big one. Both of these as they began, there was people sort of wondering, “Is this the big one?” I think neither one of them turned out to be, but how did they inform us in terms of preparation against what could be the big one?

Allan Liska:

This is now two months in a row that we’ve had a large-scale ransomware worm. If you remember, prior to WannaCry, we really haven’t had a worm that spread like this for almost a decade. WannaCry was fairly big in terms of what it did. Now we have another ransomware worm that’s popped up. I expect we may see more of those. If this was an experiment, if this was a testing ground, we may see more of this activity, but tied to more sophisticated actors or even more sophisticated tools that could spread more effectively throughout networks.

Right now, the EternalBlue exploit is quickly being patched around the world. If it’s not fully patched everywhere, it can be. There are other exploits that the Shadow Brokers have released that could be tied into these ransomware campaigns to deliver a more effective and wider-spread delivering. If you had taken either one of these campaigns and started out as a phishing campaign that then tied into this, that could have been much more widespread and done much more damage.

Dave Bittner:

Take me behind the scenes a little bit. When these sorts of things like WannaCry or NotPetya start to percolate up, what is it like behind the scenes at Recorded Future? You all evaluate them and do the things you do.

Allan Liska:

We have just an incredible team. We’re doing things that I expect a lot of security companies are doing. One, we’re grabbing the code itself so we can start tearing it apart. That’s the most important thing, so that we have a good understanding of what’s going on. We disseminate that information within the company, so as we have updates and can confirm things, we disseminate within the company and then we disseminate it out to our customers.

Secondarily, we do things like blog posts and update our Twitter feed in order to make sure that the broader community is aware of what’s going on, because this type of attack, it’s really important to get as much accurate information as possible into the hands of as many people as possible. It’s a challenge in the first couple of hours because there’s a whole lot of bad information out there. It’s just like any other breaking news scenario. There’s a lot of really bad information and erroneous reports. It’s the job of our analyst team to take a look at all of the reports, see what can be verified, tie that in with our own ability to determine things based on code samples that we’re able to look at and make sure that everything lines up, but then get that information to our customers as quickly as possible. Especially in a case like this where you have an attack that started in the Ukraine, we want to make sure if there are any protections our customers can put in place, they have them in the United States and EMEA before they go live. Then, as updates happen.

When, for instance, we found out that the email address that was associated with this attack had been disabled by the mail provider, we’re able to tell customers, “Do not bother to pay the ransom here because you’ll never get your files back. There’s no way for the attacker to communicate with you. If you don’t have a backup, your best bet is to wipe and start fresh.”

Dave Bittner:

I suppose one of the unintended consequences or perhaps a potential upside, is that these events really have gotten people to focus on patching.

Allan Liska:

Yes, it’s one of these things that the best defense against ransomware is to make sure you have good backups. But really, the really second best defense is to make sure that your systems are fully up to date. In this case, it’s the Microsoft patches against web exploits-type ransomware that use the exploit kits. It’s to make sure your Adobe is patched, your browser is patched, your Silverlight is patched, your Java’s patched, etc. That is really the second best defense against these types of ransomware attacks. Patching is boring. Patching’s unexciting compared to new, shiny technology that you want to put in place, but patching is still one of the most effective ways to protect your organization against any kind of ransomware attack.

If WannaCry was low sophistication, this was much more sophisticated of an attack. If there’s a next one, and there will be, the next one that will build on this will be even more sophisticated. Make sure you have the right protections in place for your organization. Make sure you’re keeping up to date on what the latest threats are. Hopefully you won’t fall victim to whatever the next one of these is.

Dave Bittner:

Our thanks to Allan Liska for joining us once again.

Don’t forget to sign up for Recorded Future’s Cyber Daily email and everyday you’ll receive the top results for technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

You can also find more intelligence analysis at recordedfuture.com/blog.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.