UPDATE–Security researchers are continuing to delve into the details of the latest ransomware outbreak, and have found that the ExPetr ransomware has a number of interesting characteristics that separate it from other variants and raise questions about its purpose.
The ExPetr or NotPetya ransomware shares some code and behavior with the older Petya ransomware, but researchers say it is actually a separate variant. Beginning Tuesday morning, the ransomware began hitting a number of organizations in several countries, including Russia, France, Ukraine, Spain, and the United States. Among the major victims so far are Maersk, Merck, and the National Bank of Ukraine, and researchers said that the malware has been spread in a variety of ways, including a watering hole attack. Once it’s on an infected machine, the ExPetr ransomware installs a credential-stealing tool and then uses those credentials to scan the local network looking for other PCs to infect. It can uses a couple of different techniques in order to move laterally on the network.
“Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials. It then tries to execute remotely the malware using either PSEXEC or WMIC tools,” Microsoft researchers said in an analysis of the ransomware’s behavior.
“The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin).”
“We believe the ransomware was in fact a lure to control the media narrative.”
ExPetr can infect several different versions of Windows, and once it is on a new machine, it displays some interesting behavior aside from its spreading mechanisms. Most ransomware is designed solely to make money for the attacker. But ExPetr not only encrypts users’ files but it exhibits some destructive behavior, too.
“Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware is run with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it overwrites the MBR of the victim’s machine,” Microsoft’s researchers said.
Overwriting the master boot record essentially leaves a PC unusable and is the kind of behavior that’s normally associated with wiper malware such as Shamoon. Those variants are designed to destroy data, not encrypt it and hold it for ransom, and researchers say the financial aspect of ExPetr may just be a decoy.
“After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk. This means the MBR section of the disk is purposely over written by the new bootloader,” said researcher Matthew Suiche of Comae Technologies.
“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”
Shamoon has been used in a handful of high-profile attacks in the last few years, including the compromise of Saudi Aramco in 2012 that affected more than 30,000 machines.
Researchers at Kaspersky Lab, who have analyzed the new ransomware, discovered that even if victims decided to pay the ransom, they likely wouldn’t get their encrypted data back.
“Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim’s disk threat actors need the installation ID. In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery,” the company said.
“ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.”
This story was updated at 1:38 PM on June 28 to add the information about the inability of the attackers to decrypt user data.