Ransomware Smackdown: NotPetya Not as Bad as WannaCry

For anyone keeping score in the ransomware outbreak wars, NotPetya was not as bad as WannaCry.

Microsoft says the outbreak of NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C - that began June 27 resulted in "a less widespread attack" than WannaCry, aka WannaCrypt. That was despite NotPetya being even more sophisticated than WannaCry - by many security experts' reckoning - as well as NotPetya targeting the same EternalBlue server message block exploit in Windows that had enabled WannaCry to spread far and fast.

By way of explanation, Microsoft surmises in a blog post that NotPetya's global impact was blunted because whoever designed the malware limited its attack capabilities by design. In particular, the malware is set by default to reboot an infected system in 60 minutes, although attackers can provide a different time value, it says. After the time is up, the system reboots, and the malware does not persist after the reboot. "This means that the threat can only do lateral movement and exploitation of other machines during this limited time," Microsoft says. "This reduced the reach of the attack."

In addition, Microsoft notes, NotPetya appeared to be a very targeted malware campaign - more than 70 percent of all systems that encountered NotPetya were in Ukraine.

Windows 10: Tougher to Infect

These latest attack details may offer scant consolation to anyone who had their PC forcibly encrypted - and in many of those cases, left unrecoverable - by NotPetya.

On the upside, however, one takeaway from both of those ransomware campaigns is that Microsoft continues to make it tougher for ransomware to infect Windows. As with WannaCry, the majority of systems infected with NotPetya were running Windows 7, security firms report.

Microsoft says that anyone who was using Windows 10 S - a streamlined, more secure and faster version of its operating system released in May, so far only on new machines - was safe from NotPetya. "The security configuration and reduced attack surface of Windows 10 S block this attack by default," Microsoft says.

In addition, anyone who was using Windows 10 with the right security controls enabled would also have been protected. Those include a more secure kernel that's been hardened against attacks, a feature called device guard that blocks unauthorized applications, improved detection of script-based attacks, and built-in anti-virus software - for anyone who hasn't installed their own - that includes behavioral analysis designed to arrest ransomware outbreaks.

Real-World Results May Vary

The devil, however, remains in the implementation details.

In an ideal security world, using Microsoft's most recent version of Windows would be a no-brainer. That's because Microsoft continues to refine its OS, adding better and better security controls. For any organization starting out from scratch, and buying all-new kit, they'd be in relatively good shape.

In the real world, however, the latest security features cannot always be deployed, due in part to legacy systems, compatibility problems and refresh cycles. Also, making the business case for upgrading from an older version of Microsoft Windows to the latest and greatest can be difficult (see Would Cheaper Windows Upgrades Solve Ransomware Woes?).

Another challenge: Even organizations with the latest technology do not always deploy secure networks or enable all of the defenses that they should (see 6 Remediation Essentials: Fighting 'NotPetya' Malware). A feature that works on some versions of Windows 10, for example, called credential guard, can prevent malware from harvesting passwords stored in system memory, but computer security expert Lesley Carhart (@hacks4pancakes) says in a blog post that it's "infrequently deployed and not backwards-compatible."

Simplicity Hacks

Meanwhile, attackers continue to up their game.

For example, NotPetya attempts to spread via the EternalBlue exploit, targeting the SMB flaw fixed by Microsoft's MS17-010 Windows security update (see Teardown of 'NotPetya' Malware: Here's What We Know).

But for many experts, the most worrying aspect of the NotPetya outbreak is not tapping the EternalBlue exploit apparently developed by the National Security Agency. Instead, it's how NotPetya can also spread via two legitimate Windows tools - PsExec and Windows Management Instrumentation - as well as use the open source Mimikatz tool to try and steal passwords from infected systems.

"There's no sense in using malicious code when simpler and quieter means are available," Carhart says.

"I'm honestly a little surprised we haven't seen worms taking advantage of these mechanisms so elegantly on a large scale until now," she says. "They are very popular tools in modern hacking. A good hacker avoids the use of malware and code exploits whenever possible. ... Every use of malicious code is one more potential detection point for traditional signature-based anti-virus and intrusion prevention systems - which are relied on exclusively far too often."

Supply Chain Attack

In the case of NotPetya, many organizations appear to have gotten off lightly, since attackers only appeared to be targeting firms in Ukraine. But of course organizations in other countries were also affected, ranging from Russia and Denmark to Australia and the United States.

"Our investigation revealed that affected companies in other countries had VPN connections to their branches, or to business partners, in Ukraine," Slovakian security firm ESET notes in a blog post, adding that it believes attackers underestimated how far their attack code would spread.

Police in Ukraine say they are working with Ukrainian accounting software vendor M.E.Doc., whose update server was apparently used to spread the malware. The choice of that software by attackers was also elegant, since it's reportedly one of only two software packages approved by Ukraine's tax-collection agency for paying taxes.

Attackers likely had direct access to the M.E.Doc update server, and were able to push out software of their choosing via the software-update mechanism built into M.E.Doc, ESET says. "Specifically, we identified a malicious PHP backdoor that was deployed under medoc_online.php in one of the FTP directories on M.E.Doc's server," it says. "This backdoor was accessible from HTTP; however, it was encrypted, so the attacker would have to have the password in order to use it.

The security firm says NotPetya does not appear to be the only attack code that has been distributed to date via this mechanism.

Suspect: BlackEnergy APT Group

Debate continues to rage over whether the group that launched NotPetya intended to create malware that looked like ransomware but was instead a smokescreen for disk-wiping attacks (see Latest Ransomware Wave Never Intended to Make Money).

Whatever the motivation, researchers at Moscow-based anti-virus firm Kaspersky Lab say that based on how NotPetya was built, it has a "low confidence but persistent hunch" that the ransomware was launched by the BlackEnergy APT group, which may have been born from the TeleBots APT group.

BlackEnergy has previously been tied to attacks that disrupted the Ukrainian power grid in 2015, as well as KillDisk wiper malware attacks that erased hard drives and left PCs unbootable.

As with past investigations into malware outbreaks, Kaspersky Lab says it will work with other security firms to try and produce a more definitive picture of the attack group behind NotPetya. "Further research can be crucial to connecting the dots, or, disproving these theories," it notes (see Kaspersky Links North Korean IP Address to Lazarus).