PetyaWrap: A new ransomware attack similar to last month’s self-replicating WannaCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.
PetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer. Like the WCry worm that paralyzed hospitals, shipping companies, and train stations around the globe in May, Tuesday’s attack made use of EternalBlue, the code name for an advanced exploit that was developed and used by, and later stolen from, the National Security Agency.
According to a blog post published by antivirus provider Kaspersky Lab, Tuesday’s attack also repurposed a separate NSA exploit dubbed EternalRomance. Microsoft patched the underlying vulnerabilities for both of those exploits in March, precisely four weeks before a still-unknown group calling itself the Shadow Brokers published the advanced NSA hacking tools. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead to systems that had yet to install the updates.
Besides use of EternalRomance, Tuesday’s attack showed several other impressive improvements over WCry. One, according to Kaspersky, was the use of the Mimikatz hacking tool to extract passwords from other computers on a network. With those network credentials in hand, infected computers would then use PSExec, a legitimate Windows component known as the Windows Management Instrumentation, and possibly other command-line utilities to infect other machines, even when they weren’t vulnerable to the EternalBlue and EternalRomance exploits. For added effectiveness, at least some of the attacks also exploited the update mechanism of a third-party Ukrainian software product called MeDoc, Kaspersky Lab said. A researcher who posts under the handle MalwareTech, speculated here that MeDoc was itself compromised by malware that took control of the mechanism that sends updates to end users.
Locating patient zero
Kaspersky stopped short of saying MeDoc was the initial infection point in the attack chain, as did researchers from Cisco Systems’ Talos group, which in its own blog post also said only that the attacks “may be associated with software update systems for a Ukrainian tax accounting package called MeDoc.” Researchers from AV provider Eset, however, said the MeDoc update mechanism was “the point from which this global epidemic has all started.” A separate, unconfirmed analysis circulating on Twitter also makes a compelling case a MeDoc update issued early Tuesday morning played a key role. A vaguely worded post on the MeDoc website said only:
Our server made a virus attack.
We apologize for the inconvenience!
Many analysts interpreted the post as an admission of playing a key role in the attacks. But if that’s the case, the 13-word statement was uncharacteristically glib for an official communication taking responsibility for one of the worst computer attacks in recent memory. What’s more, in a separate Facebook post, MeDoc officials seemed to say they weren’t involved.
Once the malware takes hold of a computer, it waits 10 to 60 minutes to reboot the infected computers, Kaspersky said. The encryption routine that permanently locks data until targets pay a $300 fee starts only after the computer restarts. Researchers said anyone who experiences an infection may be able to preempt the encryption process by immediately turning off the computer and allowing only an experienced security professional to restart it.
Banks, Power Utilities, Airports
News organizations reported potentially serious disruptions around the world, with organizations throughout Ukraine being hit particularly hard. In that country, infections reportedly hit metro networks, power utility companies, government ministry sites, airports, banks, media outlets, and state-owned companies. Those affected included radiation monitors at the Chernobyl nuclear facility. A photograph published by Reuters showed an ATM at a branch of Ukraine’s state-owned Oschadbank bank that was inoperable. A message displayed on the screen demanded a payment to unlock it. Meanwhile, Reuters also reported that Ukrainian state power distributor Ukrenergo said its IT systems were also hit by a cyber attack but that the disruption had no impact on power supplies or broader operations. Others hit, according to Bloomberg, included Ukrainian delivery network Nova Poshta, which halted service to clients after its network was infected. Bloomberg also said Ukraine’s Central Bank warned on its website that several banks had been targeted by hackers.
As quick-spreading as WCry was, its virulence was largely checked by a series of errors made by its developers. One of the biggest mistakes was the hard-coding of a killswitch into the WCry attack. A quick-acting researcher was able to largely stop the run-away attack when he registered a domain name that triggered the emergency off switch. As Tuesday’s attack continued to gain momentum, some researchers said they were concerned there would be no similarly easy way to contain the damage.
“WannaCry had all kinds of stupid bugs and issues (hi killswitch),” researcher Kevin Beaumont wrote on Twitter. “This has no killswitch, and it looks like they had a development budget.”
There are also unconfirmed reports that infections worked against a fully patched computer running Windows 10, by far Microsoft’s most secure OS, which was never vulnerable to EternalBlue. What’s more, according to the unconfirmed report, the computer was using up-to-date AV protection and had disabled the SMBv1 file-sharing protocol that EternalBlue exploits.
The malware attack, according to researchers at Kaspersky and AV provider F-Secure, uses a modified version of EternalBlue. Researchers from AV provider Eset said in an e-mail that the malware also used the PSExec command-line tool. The precise relationship among the various infection methods isn’t yet clear. Eset said it appears the attacks use EternalBlue to get inside a network and then use PSExec to spread from machine to machine. “This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines, and hopefully most vulnerabilities have been patched,” an Eset researcher told Ars. “It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
Ransomware and credential stealer together
According to researchers at Recorded Future, Tuesday’s attacks appear to deliver two payloads. One appears to be the new version of the Petya ransomware package, which has been holding data hostage since at least early 2016. While multiple researchers also reported the ransomware was a new Petya version, Kaspersky researchers said Tuesday’s attack, in fact, delivered a new strain of ransomware that had never been seen before. Researchers with AV provider Eset said in a blog post that, unlike many ransomware packages, PetyaWrap doesn’t encrypt individual files. Instead the encryption is aimed at a computer’s entire file system.
The ransomware targets the computer’s master boot record, which is a crucial file that allows a computer to locate its operating system and other key components. The file-system-wide encryption and master boot record targeting are features that are also found in Petya. Tuesday’s ransomware, whatever its origins and derivation, holds data hostage until users pay $300 in Bitcoins.
The other payload is an information stealer that extracts usernames and passwords from victim computers and sends the data to a server controlled by the attackers. That would mean that while an infected computer has been rendered inoperable by the ransomware, the attackers would already have access to potentially high-value credentials that were stored on the machine. As the Kaspersky Lab research suggests, the credential theft is then used to spread to other machines inside an infected network.
Tuesday’s attack spread widely almost immediately. It initially took hold in Ukraine and Russia, but soon it reportedly spread to Poland, Italy, Spain, France, India, and the United States. WPP, the British ad company, said on Twitter that some of its IT systems were hit by a cyber attack. Its website remained unreachable as this post was going live. Law firm DLA Piper posted a handwritten sign in one of its lobbies instructing employees to remove all laptops from docking stations and to keep all computers turned off. AV provider Avast said it detected 12,000 attacks so far. Security company Group-IB said at least 80 companies have been infected so far. Reuters also reported that a computer attack that hit Maersk, a shipping company that handles one in seven of all containers globally, caused outages at all of its computer systems across the world. IT systems in multiple sites and business units remained down, but company officials didn’t say how the outages were affecting operations.
Tuesday’s ransomware package took the highly unusual step of instructing victims who had paid the ransom to e-mail their payment information, rather than using a different receiving wallet for each victim. Within a few hours, the e-mail address was shut down, making it impossible for people who paid the ransom to recover their data. It also used no command and control server to keep track of and send instructions to infected computers. Those traits, which are sure to torpedo chances of the malware generating profits for its creators, prompted International Computer Science Institute researcher Nicholas Weaver to speculate the true intent of the malware developers was to sow destruction, not make money.
“Remember, good ransomware is a turnkey, purchasable product, with many vendors to chose from,” Weaver wrote on Twitter. “Yet they chose one of the worst (it bricks computers) and then broke the payment mechanism and no C&C.”
By early Tuesday afternoon California time, the malware had received 24 Bitcoin payments totaling about $6,000, Kaspersky reported.
The rapid spread mimics the WCry outbreak, which infected more than 727,000 computers in 90 countries. WCry was designed to be a worm, meaning once it infected a computer it could spread to other connected computers without requiring any user interaction. It is not yet clear if PetyaWrap has the same self-replicating ability. The number of organizations that have been disrupted and the added arsenal of attack tools would suggest that it does.
This post was extensively updated and rewritten over the course of five hours as new information became available.