NotPetya Ransomware: Lessons Learned

Written by

The ‘NotPetya’ ransomware attack made news headlines all over the world. Kicking off in Ukraine, pictures circulated on social media which showed self-checkouts in Ukrainian supermarkets with the ransomware-typical splash screen saying something like “all your files are encrypted, if you want them back, send X amount of BitCoins to X address.”

It felt awfully familiar and lots of strong opinions very quickly emerged from security industry pundits about what went wrong and who was to blame. This was reminiscent of the reaction to the WannaCry ransomware attack which saw people pointing the finger at anyone from Microsoft for patching its now defunct Windows XP operating system, all the way up to the UK’s Health Secretary Jeremy Hunt for not investing enough money in the UK’s National Health Service.

Unfortunately, it doesn’t seem like much was learnt from the WannaCry ransomware attack. Embroiled in the NotPetya incident were major companies like advertising conglomerate WPP, who are reported to have had significant problems getting back to work. Despite the warnings of the need for frequent patching to prevent ransomware attacks which followed the WannaCry attack, major companies like WPP were infected in the same ways as during the WannaCry attack.

WPP weren’t alone: it has been widely reported that shipping giant A.P. Moller-Maersk was affected by NotPetya so badly that the firm was forced to communicate via Whatsapp, and reported losses of around $300m USD thanks to its inability to use certain ports around the world.

Tarun Samtani, group security advisor at Findel Plc, tells Infosecurity: “WannaCry and NotPetya attacks may not seem to have changed a lot but [the incidents have] changed the way boards are looking at information security. These attacks and the upcoming GDPR are surely going to drive a way forward for the cybersecurity industry in highlighting the point that information is a key asset and more has to be done to keep it secure and private.”

Nic Miller, principal consultant at Aedile Consulting, adds: “Mostly companies are temporarily worried because of the news coverage. After WannaCry, questions were asked about patching frequency, and the NotPetya attack seems to have resurfaced those questions. I’m personally not convinced the pressure will last.”

"After WannaCry, questions were asked about patching frequency, and the NotPetya attack seems to have resurfaced those questions"

Stories for the Boardroom

One of the opportunities presented with the NotPetya ransomware attack is for IT leaders in enterprises to go back to the business leaders and push cybersecurity further into the boardroom agenda.

This has come at an opportune time: a recent UK government report claimed that a survey of FTSE 350 showed that 68% of board members have not been trained to deal with cybersecurity incidents.

The survey says that more than half of board members recognize that cyber-threats are a top risk to their business, but 69% of them still do not receive adequate information on cyber-risks, which raises the question: are IT professionals talking too much or is the board not listening?

It looks like IT leaders are going to need to get their head in the game very fast. As a way of preventing further such ransomware attacks, the UK government is expected to roll out the Network and Information Systems directive to force companies to have stronger cyber-defenses, and should they fall foul of the regulation, they can expect a hefty fine. 

Miller explains: “One of the things I have noticed in conversations around the NotPetya attack is the nation-state angle. Given that NotPetya was almost certainly Russian state related, WannaCry was linked to North Korea and the constant references to the NSA exploits used now provide a shield for companies to say ‘well, what can we do when we’re up against the NSA?!’”

Miller claims that companies are using the provenance of the WannaCry and NotPetya attacks being allegedly nation-state based as an excuse not to patch, but says this “completely misses the point.” He adds: “Yes, patching cycles can be long, but for WannaCry especially, the lack of a delivery mechanism for patches means companies hit by WannaCry were exposed with the unpatched SMB flaw to the internet for four months.”

By and large, the advice to companies wanting to steer clear of ransomware remains the same as with any other attack: having any software, operating systems and anti-virus/APT products fully patched and up-to-date significantly reduces an enterprise's attack surface.

Attack Biopsy

The malware driving the NotPetya attack was found to be propagating via PDF and Word attachments, as exhibited in a number of samples. For example, if it was using a vulnerability in Adobe Acrobat, and Adobe patched it, you would be protected. It’s worth noting, however, that software updating facilities are being taken over by malware to help extend its reach.

Microsoft warned that NotPetya got into the auto-update function of M.E.Doc tax accounting software, which is widely used in the Ukraine, where the NotPetya infection is said to have begun.

Likewise, legitimate entry points such as Windows Management Instrumentation Command-line (WMIC) and PsExec were being used to infect machines and managed to go undetected. However, if you kept up-to-date with your Windows update and Windows had in fact patched this vulnerability, it would again decrease your attack surface significantly.

Then there’s the importance of backups. Many in the security industry have consistently warned of the implications of not having an often-tested and used backup and recovery solution for all business systems and data. If you do have a backup system, it should do most of the heavy lifting in getting back to normal after an infection, as it would contain all of your business data.

Finally, credential abuse issues should be high on the priority list as malware, like NotPetya, has started to detect passwords being sent across the network. ExPetr, a variant of NotPetya also used in the NotPetya attack, is said to have used the Mimikatz toolset to obtain user login credentials in plain text. This includes local admin accounts and domain users across networks.

“Similarly,” says Miller, “the NotPetya danger came from the lateral movement through credential theft, but again, this is a pretty standard technique, the only thing that made it clever was the automated approach to doing it.”

Miller concludes, “a basic control of not giving users local admin – or if you have to, limiting it to a minimum number of machines as necessary – would have nullified this attack.”

Carl Gottlieb, an independent security consultant, tells Infosecurity that there is an angle which still needs to be looked into with regards to stopping further ransomware attacks. “There’s imbalance between vendor solutions that aren’t configured to best practice in the real world,” he argues. “Vendors tend to blame the customer but often they know that people won’t deploy software in the way it was designed in their development lab.”

Gottlieb is referring to instances where a security vendor might sell products which work well in a lab environment, but would then fail in the wild due to a misconfiguration, which, he claims, happened when University College London (UCL) suffered a ransomware attack due to disabling their anti-virus’s cloud lookup feature.

Gottlieb claims: “If a vendor sells a product that they know a customer won’t deploy optimally, whose fault really is it? I’d argue that products need to be more ‘real world’ tolerant. Which raises the question of what real world testing actually is. Whose real world does it represent?”

Gottlieb might be right; if software is developed and not thoroughly tested, this calls for a review of the efficacy of security software being sold into companies under the guise of protecting company infrastructure.

Gottlieb adds that “if ‘real world’ is for people who understand security and should know better than to skip updates because it’s annoying, maybe the right answer is that the only solution is to force updates. People don’t read warnings so security companies need to provide safety nets for when security warnings are ignored.”

"The NotPetya danger came from the lateral movement through credential theft, but again, this is a pretty standard technique"

Onwards and Downwards?

An educated guess that this won’t be the last large-scale ransomware attack which makes international news headlines is not an outlandish claim.

Recently, news emerged that a powerful form of ransomware named Mamba, which encrypts whole drives instead of just the files on them, suddenly made a return. It is reported to behave in similar ways to other ransomware attacks, notably NotPetya, except that experts have said that it is designed to outright destroy information rather than act as a source of income for the criminals behind it.

Researchers from security firm Kaspersky Lab have warned that this is, unfortunately, going to become the new normal in ransomware, as attacks become harsher. While Mamba isn’t a common type of ransomware, it has already had a high-profile victim: the San Francisco Municipal Transportation Authority in November 2016.

Alexander Drabek, senior penetration tester and researcher for security consultancy firm 2Sec, recently wrote in a blog post that “Either of the Diablo6 and Mamba strains could be a serious problem for companies that haven’t installed email or SPAM filtering systems, or for organizations where user-awareness hasn’t been developed over the last year, as ransomware has risen”. Those are big ‘ifs’.

Ed Tucker, ex-head of cybersecurity for UK tax authority HMRC, tells Infosecurity: “Pay attention to vulnerabilities, their criticality and then contextualize them against your organization. As with WannaCry, patching is key, but equally, so is good architectural design and the principle of ensuring that only the ports and protocols that are absolutely necessary are opened, especially on external facing components.

Tucker concludes: “Sometimes you have to risk ‘breaking things’ by accelerating patches without a thousand hours of testing, to ensure that devices are protected against vulnerabilities that are actively being exploited in the wild. To be able to achieve this, you need to actually understand the assets in your organization and their impact on business continuity.”

Unfortunately, until a solution is found, many choose to settle for the next best thing: decryption tools. Researchers from security firm Crowdstrike recently found a way to decrypt files infected by NotPetya.

“With the aid of the supplied tools, almost all of the master file table (MFT) can be successfully recovered within minutes”, says Sebastian Eschweiler, CrowdStrike.

Eschweiler explains that “Decryption of the MFT is only possible by exploiting several weaknesses in the NotPetya implementation of the Salsa20 cipher. Basically, it’s a combination of a known-plaintext attack and a many-time pad attack. Note that this attack does not mean Salsa20 is broken, it only affects this specific implementation.”

What’s hot on Infosecurity Magazine?