The Age of Ransomware

Written by Dami Yusuph on 24/11/2017

Ransomware has been on the sprawl of late, infecting computers around the world and encrypting large volumes of data. The reward remains a ransom and this time it demands around $300 in Bitcoins for the decryption key. After WannaCry, Petya/NotPetya has become even deadlier. The result of two enormous ransomware attacks in the same number of months earlier this year has resulted in the disruption of business services around the globe. NotPetya affected most industries and organisations, including critical national infrastructure such as banking, transportation systems and energy. NotPetya, like WannaCry, is able to modify the Master Boot Record (MBR) and includes worm capabilities, though more sophisticated – and avoids the mistakes of the WannaCry authors. With worm-like behavior, Petya is able to move laterally across infected networks with the first infections detected in Ukraine – more than 10, 000 machines were at risk from the infection, and more than 60 other counties affected thereafter.

How Petya is delivered and lateral movement

The delivery of NotPetya started with an initial infection vector connected to the legitimate MEDoc updater process delivered over HTTP as reported by Microsoft. MEDoc is a popular tax accounting software in Ukraine and must have been a soft target for software supply chain attack – a growing global malware trend. As thousands of users downloaded the updates from the compromised server, the infection escalated resulting in the harvest of several credentials and lateral movement across several networks.

The spreading of NotPetya is preceded by the building of a list of target primary and remote IP addresses. In building the list, it captures all the details of IP addresses and DHCP servers of connected network adaptors, DHCP clients (for open ports – port 445 and port 139), subnet addresses, remote computers with open connections to the infected machine, computers in the cache of the address resolution protocol (ARP), active directory resources, network neighbourhood resources and Windows Credential Manger resources. NotPetya works out a rundown of client names and passwords it can use to self-propagate to more machines. It continues by building a list of login credentials (usernames and passwords), which it dumps in the memory. These login credentials are stolen from the Windows Credentials Manager including being able to drop and execute a 32 or 64bit credential dumper.

The infection requires just one single infected machine to spread in a network. With the help of the victim’s stolen credentials, NotPetya spreads through Windows network shares by attempting to copy itself to [COMPUTER NAME]\\admin$. It uses legitimate tools such as PsExec (for executing processes remotely) and the Windows Management Instrumentation Command-line (WMIC) to execute remotely. Similarly, NotPetya is able to abuse Server Message Block (SMB) vulnerabilities (similar to how WannaCry was delivered) including the MS17-010; EternalBlue and EternalRomance exploits.

When NotPetya executes with the command rundll32.exe perfc.dat, it first loads the DLL into memory and attempts to erase itself from the victim machine. To achieve this, it deletes the file from the disk after opening and overwriting the file with null bytes to evade detection (and possible recovery of the file). This is immediately followed by the creation of the file perfc in C:\Windows\ as an indicator flag for the success of the infection.

The impact of NotPetya on data

NotPetya modifies the MBR and encrypts the hard disk after compromising and hijacking the infected machine’s boot sequence. On the next reboot, the ransomware simulates a CHKDSK process. Normally, CHKDSK (short for “check disk”) is a system command in DOS, OS/2 and Windows that is used to verify the integrity of a volume of the file system including the ability to fix logical file system errors. It is during the simulation of the CHKDSK process that the entire hard disk is encrypted, after which it displays a prompt on a screen as shown in Figure 1 requesting for a ransom to be paid.

Age of ransomware
Figure 1. NotPetya ransomware prompt

In the event of NotPetya executing as a standard user, the attempt to modify the MBR fails but yet it's still able to propagate across the network. Consequently, it schedules a reboot and is able to encrypt individual files on the hard disk. As it continues to propagate, it attempts to modify the MBR, adding a custom loader that simulates a CHKDSK process. User-mode encryption follows the propagation of the ransomware, in which case, specific file extensions are listed on a hard drive (such as the C:\ drive). This listing does not affect the %Windir% of the drive. When Petya finds a match with the listed file extensions, it triggers encryption of the files.

A sting in the tail

There’s more to the story here, as NotPetya seems to be one step worse than traditional ransomware. Even if you send the cybercriminals the Bitcoins, they won’t decrypt your files. So NotPetya is really a wiper – a chaos engine to permanently delete your data – disguised as ransomware.

Is ransomware here to stay?

Ransomware is a targeted attack. Like WannaCry, NotPetya targets most energy companies, banks, transportation services and healthcare institutions. Critical national infrastructure is at risk and denial-of-services are becoming prevalent. With this widespread propagation of the malware, the services of several organisations have been crippled recently. Some of these organisations include the NHS, regional hospitals in Virginia and Kentucky, car manufacturer Renault, Maersk IT systems, Rosneft – a top Russian oil producer, Britain’s WPP – the world’s biggest advertising company, Merck & Co – a pharmaceutical company, Russian Central Bank, Ukrainian Banks and Power Grid, Ukrainian International Airport, Saint Gobain – a French construction materials company, and many more.

One of the eminent dangers of the ransomware phenomenon is the development of Ransomware-as-a-service (RaaS). With RaaS, cybercrime will be accessible to anyone, including novices in programming. Subsequently, it is possible that RaaS may be delivered as open source or made proprietary for a ransom as well. Where such a service is possible, the spate of attacks will escalate and random ransom requests will be common place.

A proactive security standpoint is required

Ransomware exploits unpatched vulnerabilities. It is common to see organisations, industries and the government at various levels using unpatched operating systems. These machines periodically become vulnerable and pose major threats, not only to the organisation using them but to the entire network of systems that are connected to such machines. It is pertinent for standard security procedures such as proactive vulnerability scanning and assessment, threat modelling and countermeasures, system hardening, defense-in-depth, and network segmentation and up-to-date antivirus software, to be enforced.

Ransomware attacks are becoming sadly frequent. Industries and organisations should not rely solely on antivirus software to achieve a secured computing environment. Vulnerabilities must be patched quickly. Most times, ransomware spreads quickly, and a good backup culture can help to recover lost files. At the same time, user training and awareness should be frequent, and mock incidence response sessions should be conducted to recover from likely attacks.

Windows and other operating systems push periodic updates frequently. These updates must be applied as often as possible to stop the vulnerabilities the fix from being exploited. Afterall, when there is no vulnerability to exploit, there little likelihood of an attack occurring. Furthermore, there is a need to configure a segmented network such that the impact of the attack can be contained in one network segment while still maintaining functionality.

Organisations and governments involved in the processing of critical data should educate their users on the dangers of opening unsolicited emails and surfing the Internet randomly, including unauthorised downloading and installation of ‘free’ software. A single click on a link has the potential to trigger an attack without the user being aware of the damage about to be done. Constant malware scanning as well as the inspection of network traffic is advised to forestall and detect the spread of ransomware.

Conclusion

Ransomware attacks are ugly incidents for any industry, organisation or government. Proactive measures should be in place now to ensuring that the next attack is prevented and/or contained. And there will be a next attack. Frequent patching and a rolling programme of user security awareness are quick wins that can drastically increase your security with comparatively little cost. Critical data, on the other hand, needs a higher level of security. There are many solutions out there, and it’s about time the world woke up to the reality of why they’re needed.

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.