The world suffered another ransomware nightmare on Tuesday, with pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, an airport and banks all affected. One U.S. hospital also appears to be a victim. Worse is expected, thanks to some pernicious features in the ransomware sample.
The malware widely believed to be responsible is a version of Petya which security researchers are calling “NotPetya”. It’s similar to Petya, but different enough to qualify as an entirely new form of ransomware, researchers say. Backing up NotPetya is an exploit method borrowed from a leaked NSA hack called EternalBlue, the same which WannaCry used to infect hundreds of thousands of computers and take down hospital networks. Though with the new strain, only computers on a local network are scanned, not the entire internet, as WannaCry attempted.
That’s cause for embarrassment among infected companies: Microsoft released a patch earlier this year which prevented any EternalBlue hacks, even pushing out updates for older, unsupported Windows systems like XP. Businesses should have patched by now, especially given the carnage WannaCry caused.
NotPetya has some extra powers that security experts say make it deadlier than WannaCry. While EternalBlue has allowed it to spread via a weakness in Windows’ SMB, it has other tools for moving at speed across networks. For instance, according to former NSA analyst and cybersecurity entrepreneur David Kennedy, the ransomware finds passwords on the infected computer to move to other systems. It does that by extracting passwords from memory or from the local filesystem, he explained.
“This is going to be a big one. Real big one,” Kennedy added.
Another proliferation technique is NotPetya’s abuse of PsExec. The tool is meant to carry out limited actions on other systems, but in this case its spreading the infection by executing malicious code on other computers. For instance, if the infected PC has administrator access to the network, every computer can become infected. A similar method is used by NotPetya with the Windows Management Instrumentation (WMI) tool, according to security expert Kevin Beaumont.
“This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched,” said ESET researcher Robert Lipovsky. “It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
Perhaps most crucially, thanks to all these added features, the new strain will infect even patched Windows PCs, including those with Windows 10, as one IT professional noted in a blog, whereas WannaCry worked largely on older systems.
A Microsoft spokesperson said the company was aware of the reports and was investigating, adding: “Our initial analysis found that the ransomware uses multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10 [the EternalBlue vulnerability MS17-010]. As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers.” It also claimed its anti-malware product, Windows Defender, detected and blocked the malware.
This latest attack appears to be the work of a professional group, unlike WannaCry, which was full of bugs and had a killswitch. which a British security researcher accessed and turned off (though more infections occurred just last week). There is no obvious killswitch with NotPetya, which Kaspersky said has infected at least 2,000 organizations across the globe, including Ukraine, Russia, the U.K. and the United States.
NotPetya’s professionalism might come from Petya’s birth in the bustling, highly technical cybercriminal underground. Jakub Kroustek, Threat Lab Team lead at Avast, said: “One of the perfidious characteristics of Petya ransomware is that its creators offer it on the darknet with an affiliate model which gives distributors a share of up to 85% of the paid ransom amount, while 15% is kept by the malware authors.” This kind of “ransomware-as-a-service” has been a growing concern of late, given it opens up the crime to a non-technical audience.
Whatever the class of criminal behind today’s outbreak, they’ve had a good pay day, though not an astounding one. At the time of publication, 22 payments had been made to 2.39818893 Bitcoin, worth around $5,515.
Anyone even considering paying hackers to unlock their computers should reverse course, however: the email account set up to provide keys has been shut down by the provider, Posteo. Thanks to that, there’s no obvious way of recovering files without backups. – Written by Thomas Fox-BrewsterFORBES STAFF