Both WannaCry and the new Petya variants that hit earlier this week (including NotPetya) exploited the same Windows SMB vulnerability that Microsoft released a patch for in March. Even though Microsoft released the patch before the ShadowBrokers leaked the EternalBlue exploit that targeted that vulnerability, millions of computers were still attacked. Even so, it's common knowledge in the cybersecurity field that both WannaCry and NotPetya were built with EternalBlue. A theory from F-Secure's Andy Patel blows the NotPetya assumption wide open.
“The network propagation module was probably already in development in February,” Patel wrote.
Two unnamed F-Secure colleagues added their thoughts.
“We won’t be able to determine the timestamp for the use of NSA tools since it’s part of the main DLL code which has the June timestamp.”
“Also, in this particular Petya sample, the shellcode is in a way coupled with the exploits. That is, they didn’t simply plug the shellcode in without properly testing it with their version of the SMB exploit.”
Patel clairified his observations in a footnote. “Some of the payloads utilized by the network propagation component have compilation timestamps from February 2017. The compilation dates on these payloads don’t have any bearing on when the Eternal exploits were implemented in the network propagation code.”
WannaCry appears to be the work of script kiddies—cyber-attack amateurs who use scripts developed only by other parties without producing their own code or finding their own exploits. The ransomware didn't even have an effective monetization scheme. NotPetya appears to be something completely different, and there are sound theories that it was developed by a nation-state. Also, the ransomware element of NotPetya may have merely been a guise.
“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware',” security researcher the grugq said on Twitter.
