On June 27, a new strain of the Goldeneye/Petya ransomware armed to the teeth with exploits swept the globe in a manner reminiscent of May’s WannaCry pandemic, hitting government agencies, banks, power companies, drug makers, shipping giants, and the list could go on.
A preliminary investigation by Bitdefender showed the malware sample responsible for the infection was an almost identical clone of the GoldenEye ransomware family. The media settled on calling it Petya, as it also shares multiple similarities with that ransomware strain.
When it was discovered, no information was available about the propagation vector. However, as with the WannaCry ransomware attack in May, Goldeneye/Petya seemed to be carried by a wormable component.
Today, we have enough information to make a more complete profile of the malware, including some juicy technicalities that will no doubt pique the interest of the geek demographic.
Reports from Ukraine, the country hit hardest by the contagion, indicate that the first wave of attacks occurred there, on June 27, around 2 PM local time.
While the ransomware initially took hold in Ukraine and Russia, it soon spread to several European countries, including Poland, Germany, Italy, Spain, and France. Subsequent reports revealed breaches at companies in India and the United States. Around the same time, British ad company WPP tweeted that its systems had fallen victim to a cyberattack.
Who got hit?
The list of companies hit by GoldenEye/Petya is more or less complete, depending on the willingness of victims to admit to the breach. However, we know its victims include:
- Chernobyl’s radiation monitoring system
- DLA Piper law firm
- U.S. pharma company Merck
- several Ukrainian banks, including National Bank of Ukraine
- at least one Ukrainian airport
- the Kiev metro
- Danish shipping and energy company Maersk
- British advertiser WPP
- Russian oil industry company Rosnoft
- Ukrenergo, Ukraine’s state power distributor
Who are the attackers?
It’s not yet known who the attackers are. The possibilities are so vast, speculation is futile at this point. However, we do know, based on their publicly available Bitcoin wallet, that they’ve amassed $10,000 in cryptocurrency as a result of the attack.
How does GoldenEye/Petya work?
GoldenEye/Petya is classified as ransomware, as it is designed to encrypt data on infected systems and demand ransom money in exchange for unscrambling the data.
Our analysis indicates that GoldenEye/Petya uses the same EternalBlue exploit employed by WannaCry to replicate laterally, in what IT folk refer to as the “worm” component of the malware. This component allows the malware to replicate itself on vulnerable systems across a network. Unlike last month’s infection, though, Petya has more aces up its sleeve.
An additional exploit dubbed EternalRomance was used to further ensure the malware’s “wormable” nature. Finally, a credential dumping tool (sharing code similarities with an older hack tool called Mimikatz) embedded in the software allowed GoldenEye/Petya to infect even non-vulnerable (patched) systems by simply gaining administrator rights on the machines. A recent Microsoft blog post analyzes this in detail.
Another important aspect of GoldenEye/Petya is its encryption mechanism – two of them, to be precise. The malware encrypts not only individual files, but also the computer’s entire file system by compromising the Master Boot Record (MBR) – a file responsible for finding the operating system and booting the computer – and subsequently the Master File Table (MFT) of the NTFS file system.
What are the infection vectors?
Our internal telemetry shows that some infections with GoldenEye/Petya were triggered by a compromised update of the MeDOC accounting software. Bitdefender customers in Ukraine, where our solutions intercepted the attack, show explorer.exe starting up ezvit.exe (the accounting app binary) which then executes rundll32.exe with the ransomware’s DLL as parameter.
The MeDOC update therefore is a key infection vector, making Ukraine “patient zero” – where the infection spread across VPN networks to headquarters or satellite offices. In addition to the MeDOC update, some other infection vectors are under investigation.
Ransomware or just plain evil?
GoldenEye/Petya is a piece of ransomware – malware designed to infect systems, encrypt files on them and demand a ransom in exchange for the decryption keys.
However, as the situation was being contained yesterday evening, evidence began to mount that Petya was basically a data destroyer – either meant as a test, or simply to harm victims.
Here are the clues:
- The email service used to get payment confirmations was a legitimate service called Posteo. The company suspended the email address upon catching wind of the news, essentially rendering payments made overnight invalid. Users would also never receive the decryption key. A typical ransomware attacker uses the Tor anonymity service. “This would be a poor decision for a business seeking to maximize financial gains,” explains Bogdan Botezatu, Sr. Security Analyst at Bitdefender.
- Petya lacks automation in the payment & key retrieval department, making it difficult for the attacking party to deliver the decryption keys back to the victim.
- The user has to manually type in an extremely long, mixed case “personal installation key” + “wallet” which is prone to typos.
- Every victim reading the Petya ransom note was looking at the same Bitcoin address. Most pieces of ransomware (designed specifically for financial gain) use custom bitcoin payment addresses for each endpoint infected.
How to stay on the safe side
The first rule of thumb is to keep your systems up to date. Remember that GoldenEye/Petya leverages vulnerabilities patched by Microsoft with several express updates starting in March. You have no excuse to remain unpatched following the WannaCry and GoldenEye/Petya attacks.
Run a trusted AV solution. Bitdefender blocks the currently known samples of the new GoldenEye/Petya ransomware. Computers running a Bitdefender security solution for consumer or business are safe against GoldenEye/Petya and WannaCry.
Considering Petya’s “plan B” to use lateral movement through credential theft and impersonation when faced with a patched system, companies might want to consider restricting administrator rights on employee endpoints. The same advice applies to regular users as well.
Bitdefender strongly advises all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.