INSIDE NOTPETYA RANSOMWARE, Pt. 1
Hi and welcome to Cybereason’s ML. I’m Ran Levi.
Every year, on June 28th, Ukrainians celebrate their “Constitution Day”–the anniversary of the nation’s adoption of a constitution, back in 1996.
In America, of course, citizens celebrate national holidays by immersing themselves in history. On July 4th every year, you all re-read the Declaration of Independence and, on MLK Day, each of you spends the whole day reflecting on Dr. King, and the injustices against African-Americans in this country both past and present.
You all do that, right? Right?…
Unlike in America, Ukrainians use their national holiday as a mere excuse to take a relaxing vacation.
The day before Constitution Day, in 2017, Oleh Derevianko was heading to a country house where he’d spend the long weekend with his family. Derevianko is the founder of Information Systems Security Partners, a cybersecurity lab which, in some ways, has become the go-to for Ukrainian targets of Russian APTs. Ukraine is targeted a lot by Russia, so the folks at ISSP are probably more deserving of vacations than most of the rest of us.
But Oleh was mistaken in thinking he would be able to enjoy a relaxing holiday weekend. During his drive north to the countryside, that morning of the 27th, his phone began to light up. He had to pull off the highway. Then, as the gravity of the situation became clearer, he ducked into a roadside restaurant to get on his computer.
By the afternoon, Oleh was calling every executive at every company he knew, telling them to unplug all their computer systems immediately. Shut everything down, whatever the cost.
Usually, this isn’t an easy pitch to make. Most executives shudder at the idea of shutting down their whole business, for any amount of time. Could any cyber incident really outweigh the cost of a few days or even a few hours of lost profit?
But what was unique about this cyber incident–and what might have made Oleh’s job easier–is that it didn’t take any cyber expertise to understand that something really bad was happening. Unlike a data leak or an account compromise, the effects were abundantly clear to the naked eye.
From “Sandworm,” a book written by technology journalist Andy Greenberg, quote:
When Derevianko emerged from the restaurant in the early evening, he stopped to refuel his car and found that the gas station’s credit card payment system had been taken out [. . .] too. With no cash in his pockets, he eyed his gas gauge, wondering if he had enough fuel to reach his village. Across the country, Ukrainians were asking themselves similar questions: whether they had enough money for groceries and gas to last through the blitz, whether they would receive their paychecks and pensions, whether their prescriptions would be filled.
Computer systems around the country were utterly disabled, from the government right on down to small businesses, like gas stations. According to Oleh, it was nothing less than a “massive, coordinated cyber invasion.”
Oleh Derevianko wasn’t wrong in describing this as a “massive, coordinated cyber invasion.” But that description only tells half the story, because by the evening of that Tuesday in 2017, the national cyberattack against Ukraine had blossomed into an international one affecting hundreds of countries. What began as a cyber invasion had quickly–really, really quickly–transformed into a cyber pandemic.
PHASE 1: PETYA
According to the World Health Organization, there are six distinct phases of a pandemic lifecycle. The first occurs when a virus begins to take shape in an animal population. Long before any human sneezes, it takes root deep inside of rats, bats or some other habitable creature. The genetic code passes between hosts, reproducing and, in doing so, mutates to gradually become more dangerous or more contagious.
A year before Constitution Day, 2017, a ransomware called “Petya” was spotted in the wild.
“[Amit] all of the other ransomwares that were around back then were just basically a program that runs on your machine, encrypts a bunch of files, and then displays a message that your computer was encrypted. Petya was different.”
Amit Serper, formerly of Cybereason, is the Area VP of Security Research for North America at Guardicore.
“[Amit] what Petya was doing is that it was basically destroying the boot sector and it didn’t even let you boot into your machine. And basically, it encrypted the drive and then when you were trying to boot your machine, you’d get a message that your entire machine is locked and in order to unlock it you need to pay a ransom. But with Petya, you didn’t even have access to Windows. You couldn’t even boot windows.”
Petya attacked the very lowest, most foundational level of a computer. It didn’t cause your computer to sneeze, it caused its heart to stop. Nasty stuff.
A year after Petya was first spotted in the wild, it spawned a new variant. A mutation, you could say. It actually looked as if it was a new version of the original Petya. But the more researchers started looking into it, they realize that there’s actually… the two are not related and then they called it – it was dubbed NotPetya.
PETYA VS. NOTPETYA
Different people have different views on whether NotPetya can be considered a true variant of the original virus, as they look very similar to one another but work differently. The primary difference is in their means of spreading.
The original virus–Petya–was delivered as a standard attachment in an email. Lots of malware attacks work this way–it’s a good way of hacking a specific target, because you can use social engineering to make that email believable. In Petya’s case, the email masked itself as a job application–it included a stock photo of a young man, and a file pretending to be that young man’s job application. The file would have ‘PDF’ in its name, but in reality, it was an executable. An even bigger red flag was that it required admin access to run. If you clicked on it, Windows would warn you that it was going to make changes to your computer. Honest PDFs shouldn’t do that.
So as profoundly destructive as it was, Petya was actually rather weak at spreading. Think of it like the Ebola virus.
Its newer, superior variant was more like COVID-19–so contagious that even the most secure computers were infected in minutes of coming into contact with it. So contagious that even the act of trying to stop it was more disruptive than actually contracting most other viruses.
PHASE 2: M. E. DOC
Which brings us to Phase Two.
Every pandemic has a point at which the virus transfers from one animal to one human, before exploding everywhere else. You’ll often find that such a place is fertile for the spread of germs–a crowded and unsanitary part of a city, or a marketplace for exotic animal species.
NotPetya started off in a place like this–a place where one infection could turn, quickly, into thousands. It was a nondescript building just off Novokostiantynivska Street. Quote:
“On the edge of the trendy Podil neighborhood in the Ukrainian capital of Kiev, coffee shops and parks abruptly evaporate, replaced by a grim industrial landscape. Under a highway overpass, across some trash-strewn railroad tracks, and through a concrete gate stands the four-story headquarters of Linkos Group, a small, family-run Ukrainian software business.”
You’d be hard-pressed to find an uglier building than Linkos Group’s HQ. It’s a boxy, grey building resembling a shipping container, whose only design feature of note is that the third floor is painted in blue. It’s flanked on all sides by grey parking lots, grey concrete fencing and other boxy, grey buildings.
“[Amit] that company made an accounting platform sort of like what Quicken is in the US if I need to make some sort of a comparison. And the way that this accounting software worked is basically every business entity in the Ukraine or even outside or outside Ukraine, every business entity that wanted to do business with Ukraine with regards to paying taxes and all of these things, a lot of them used this software that was made… the software was called MeDoc, M-E Doc.”
As the go-to accounting software for all Ukrainian companies, M.E.Doc was much more powerful than most midsize family-owned businesses. If you imagine Ukraine’s economy like a giant web, M.E.Doc is a node that connects to almost every corner of it. Those of you familiar with the recent SolarWinds breach will know what companies like this are capable of.
In the Spring of 2017, an attacker breached M.E.Doc’s software servers–the servers which, like SolarWinds, delivered software updates to clients. They inserted a hidden back door which allowed them a portal to all of the company’s customers. That’s when they deployed NotPetya.
PHASES 3, 4, 5, 6 (MAERSK)
If you drive almost directly and uniformly south from Linkos Group’s Kiev headquarters, after six and a half hours you’ll hit the city of Odessa, on the northern coast of the Black Sea, where the world’s biggest shipping company, Maersk, has an office building.
The contrast between these two places couldn’t be greater. The Maersk building looks like if Linkos’ building got a haircut, a makeover and a job: it’s nine stories tall, sleek, clean and curvy. And unlike that bleak, industrial neighborhood of Kiev, it’s surrounded by parks, beaches and beautiful old houses.
On the eve of Constitution Day, 2017, there were probably many people making this drive from Kiev to Odessa, for vacation. NotPetya made the trip alongside them. It turned out that, at Maersk’s Ukraine HQ, one finance executive had had IT administrators install M.E.Doc on just one computer in the whole building.
To understand just how contagious, and how deadly NotPetya was, we need only consider that one computer.
“[Amit] a lot of companies that are doing business with the country of Ukraine, basically, they need to file taxes. They need to have that software installed on their machines so that they could do all of the tax-related stuff you know to basically pay taxes to the country of Ukraine. What happened was that there were a lot of companies that either had the MeDoc software installed or in some way had computers connected in the same network to computers that had the MeDoc software on them. [. . .]
So at a certain point, the malware reached a bunch of machines that weren’t necessarily directly connected to MeDoc in one shape or form, but they were on the same network with the machine that had the MeDoc software on it.”
“[. . .] on the afternoon of June 27, 2017, confused Maersk staffers began to gather at [the IT] help desk in twos and threes, almost all of them carrying laptops. [. . .] All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed by the still-mysterious malware, to spread the warning to other sections of the building.”
“[Amit] I think that it just got out of control. [. . .] I don’t think that Maersk was a target – was an original target.”
At the very same time when Ukranian gas stations and service providers were shutting down, so too were major multinational corporations elsewhere in Europe and around the world.
In the World Health Organization’s terms, we’re long past Phase 3 of a pandemic, when a virus creates clusters inside of one community. We’re past community spread, where it spreads in multiple clusters, and international spread, when it breaks out around the world. NotPetya did Phase 3, Phase 4, Phase 5 and Phase 6 of a pandemic lifecycle in one afternoon.
At Maersk alone, 17 ports on at least three continents had completely frozen up. It was 9 A.M. in New Jersey when the entry gate to their terminal closed shut. Quote:
“Soon, hundreds of 18-wheelers were backed up in a line that stretched for miles outside the terminal. One employee at another company’s nearby terminal at the same New Jersey port watched the trucks collect, bumper to bumper, farther than he could see. He’d seen gate systems go down for stretches of 15 minutes or half an hour before. But after a few hours, still with no word from Maersk, the Port Authority put out an alert that the company’s Elizabeth terminal would be closed for the rest of the day.”
The thousands of truck drivers that queued up at Maersk terminals worldwide–from New Jersey to Mumbai, carrying food, home goods and just about anything you can possibly conceive of–had no concept that a single computer in Odessa, Ukraine was the reason why their day was so sucky. Frankly, Maersk itself didn’t have much of a clue, either.
ETERNALBLUE + MIMIKATZ
“[Amit] it was a brand new pathogen that was very viral, that was very efficient in spreading. I sort of sound like cyber Anthony Fauci right now. It was very efficient in spreading and there was no way to stop it.”
NotPetya expertly combined two tools to make it more contagious than any one exploit could. The first was EternalBlue–a tool originally designed by the NSA, leaked earlier in 2017, which had also been exploited by WannaCry by this time. EternalBlue exploited a vulnerability in Windows’ server message block or “SMB” protocol, allowing NSA agents and, now, anybody else who got their hands on it, to deploy whatever code their hearts desired onto Windows networks.
The second half of NotPetya’s spreading mechanism was Mimikatz, a tool originally designed by a security researcher to demonstrate how unsecurely Windows stores passwords. To explain, we’ll use an analogy: imagine you write all your passwords down in a notebook, kept hidden in a locked drawer in your office cubicle. It seems like a good enough way to remember your passwords, since you can always check it and then hide and lock it away when you’re done. Mimikatz is like a coworker who knows where that notebook is, and has a copy of the key. It can read the memory of a PC to find, say, the admin credentials for an entire corporate network.
So, put together, NotPetya combines EternalBlue to deploy remote code onto just about any network, and Mimikatz to pull credentials for spreading across those networks. And it’s all automated.
“[Amit] So once they used these vulnerabilities, it basically allowed them to put the malware on this very violent mode, almost like the virus that we’re all experiencing today, the corona virus were basically spread from one host to another and destroys all the data that exists on the host.”
How do you avoid contracting such a virus? You could be lucky enough to be running MacOS instead of Windows, in which case, NotPetya was not relevant to you at all. Or, if your computers were updated to the latest version of Windows, you’d already be invulnerable to EternalBlue–back in March, shortly after the exploit was leaked, Microsoft patched its corresponding vulnerability. Actually, according to Microsoft’s analysis, Windows 10 did a pretty good job at combating NotPetya on its own, just by virtue of its built-in security. It was older versions of the OS that struggled the most.
But even fully-updated Windows 10 wasn’t enough, on its own, because all NotPetya needed was one outdated, unpatched computer in a network. A launch pad where it could steal the credentials necessary to spread everywhere else. That’s how you get from Odessa, Ukraine, to New Jersey and Mumbai in one afternoon.
So, in the end, there was only one reliable way to stop the spread. Call it cyber distancing.
“[Amit] sort of like what we’ve seen with the corona virus where they said, “Well, we want to control the spread. So stop seeing other people. Stop interacting with other people. So the equivalent would be to disconnect all of the machines from the network.”
As Oleh Derevianko sat with his laptop at a roadside restaurant in suburban Ukraine, he called all of his friends, pleading with them to distance their computers from the web. Every plug six feet away from a wall outlet.
“[Amit] So you’ve seen a lot of companies that were basically telling their employees quickly turn off the machines. Disconnect them from the network and disconnect them from the power outlet just in case.”
Unfortunately, NotPetya spread faster than the warnings about it could–first within Ukraine, then far beyond.
And what happened to those computers that weren’t unplugged in time was…well, it was as harmful as viruses can get. A Maersk IT admin, Henrik Jensen, witnessed the destruction from the front lines. Quote:
“Jensen was busy preparing a software update for Maersk’s nearly 80,000 employees when his computer spontaneously restarted. He quietly swore under his breath. Jensen assumed the unplanned reboot was a typically brusque move by Maersk’s central IT department [. . .] Jensen looked up to ask if anyone else in his open-plan office of IT staffers had been so rudely interrupted. And as he craned his head, he watched every other computer screen around the room blink out in rapid succession. “I saw a wave of screens turning black. Black, black, black. Black black black black black,” he says. The PCs, Jensen and his neighbors quickly discovered, were irreversibly locked. Restarting only returned them to the same black screen.”
As nasty as the original Petya was, and as contagious as its successor was, the worst part about both of them was their payload.
Both Petya and NotPetya are commonly referred to as ransomware, because they look like ransomware. Once a computer contracts NotPetya, for example, the screen freezes over and a message is displayed that reads, quote:
“Oops, your important files are encrypted. If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.”
As you’d expect, below the message are instructions for how to send Bitcoin to a wallet address.
What made Petya and NotPetya so bad, though, is that all of this was a lie. Petya and NotPetya weren’t actually ransomware.
There was the encryption logic but no decryption logic that I could find
The virus encrypted all the files on its host computer. But there was no mechanism for decrypting any of them. Even if you paid the ransom, even the attackers themselves couldn’t reverse the damage they caused.
That made NotPetya different from any biological virus that’s ever existed. It combined rapid spread with a mortality rate of 100%.
It would take months before the full scope of NotPetya’s destruction came into view. Thousands of companies, government entities and utilities were affected, some worse than others. Between business losses, costs of repair, manpower and time and legal proceedings, it cost Maersk an estimated 300 million dollars. It cost FedEx around 400 million. Merck, an American pharmaceutical company, was initially estimated to have lost around 300 million dollars but, in regulatory filings later that year, adjusted the figure to 870 million.
According to the White House, its total cost to the global economy was 10 billion dollars. That would make NotPetya the single costliest malware in world history.