Petya, NotPetya, Goldeneye, Nyetya 6/27/2017
Posted: Thu Jun 29, 2017 1:32 am
“There’s no fucking way this was criminals.”- The Grucq, some InfoSec person
Tuesday's attack, 6/26/2017, infected over 80 large companies, 64 countries, and over 12,000 computers. Many different names for the event popped up- names include Petya, WannaCry2, NotPetya (named by Kaspersky), PetyaWrap, PetrWrap, ExPetr, Goldeneye, and Nyetya (named by Talos).
Infected Organizations:
Ukrainian institutions: Infrastructure Ministry, central bank, state postal service and largest telephone company
Kiev's Borispol Airport
Energy firms: Kyivenergo and Ukrenergo.
Danish shipping firm A.P. MOLLER-MAERSK (The world's largest container-shipping company)
Russian oil company Rosneft
American pharmaceutical giant Merck.
(Greenberg, 2017)
Law firm DLA Piper
UK advertising firm WPP
Snack food maker Mondelez International
(Goodin, 2017b)
Radiation monitoring station for Chernobyl
French construction materials company Saint-Gobain
German railway company Deutsche Bahn .
Australian factory for the chocolate giant Cadbury
Russian steel and mining company Evraz.
FedEx subsidiary TNT Express
Same Shit Different Day
Ukraine and security researchers have concluded this is part of an on-going attack in the country for the past few years.
"...And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber assault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cyber security" (Greenberg, 2017b).
The digital weaponry being used on the country as a testing ground:
"But many global cybersecurity analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyber war testing ground—a laboratory for perfecting new forms of global online combat. And the digital explosives that Russia has repeatedly set off in Ukraine are ones it has planted at least once before in the civil infrastructure of the United States"(Greenberg, 2017b).
Ukrain is being pummeled with attacks:
"there had been 6,500 cyber attacks on 36 Ukrainian targets in just the previous two months"(Greenberg, 2017b).
Not your typical attacks being used, but highly sophisticated attacks that can be put in the same category as Stuxnet. When discussing the previous attacks on UKrain's network, a Ukranian cyber security researcher was already identifying high level attacks. This is how he described an attack that occurred before NotPetya:
"Yasinsky managed to pull a copy of the destructive program from StarLight’s network. Back at home, he pored over its code. He was struck by the layers of cunning obfuscation—the malware had evaded all antivirus scans and even impersonated an antivirus scanner itself, Microsoft’s Windows Defender. After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highlighting commands to see its true form. Yasinsky had been working in information security for 20 years; he’d managed massive networks and fought off crews of sophisticated hackers before. But he’d never analyzed such a refined digital weapon"(Greenberg, 2017b).
Intention of Malware was not to Initiate Ransom
Within 24hrs, researchers around the world have determined that the ransomware code is being used to obfuscate its disk wiping purpose.
"its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak" (Goodin, 2017).
Additionally, researchers are making the determination that the ransomware code controls the media narrative. When there is only purpose of destruction, it helps removes the speculation of a state actor, and provides reason for a criminal organization.
"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon" (Goodin, 2017).
Why it's NOT Petya
The code is determined to overwrite the master boot record than encrypt it, therefore nobody can get their data back by paying the ransom.
"...contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible." (Goodin, 2017).
Tuesday's attack, 6/26/2017, infected over 80 large companies, 64 countries, and over 12,000 computers. Many different names for the event popped up- names include Petya, WannaCry2, NotPetya (named by Kaspersky), PetyaWrap, PetrWrap, ExPetr, Goldeneye, and Nyetya (named by Talos).
Infected Organizations:
Ukrainian institutions: Infrastructure Ministry, central bank, state postal service and largest telephone company
Kiev's Borispol Airport
Energy firms: Kyivenergo and Ukrenergo.
Danish shipping firm A.P. MOLLER-MAERSK (The world's largest container-shipping company)
Russian oil company Rosneft
American pharmaceutical giant Merck.
(Greenberg, 2017)
Law firm DLA Piper
UK advertising firm WPP
Snack food maker Mondelez International
(Goodin, 2017b)
Radiation monitoring station for Chernobyl
French construction materials company Saint-Gobain
German railway company Deutsche Bahn .
Australian factory for the chocolate giant Cadbury
Russian steel and mining company Evraz.
FedEx subsidiary TNT Express
Same Shit Different Day
Ukraine and security researchers have concluded this is part of an on-going attack in the country for the past few years.
"...And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber assault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cyber security" (Greenberg, 2017b).
The digital weaponry being used on the country as a testing ground:
"But many global cybersecurity analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyber war testing ground—a laboratory for perfecting new forms of global online combat. And the digital explosives that Russia has repeatedly set off in Ukraine are ones it has planted at least once before in the civil infrastructure of the United States"(Greenberg, 2017b).
Ukrain is being pummeled with attacks:
"there had been 6,500 cyber attacks on 36 Ukrainian targets in just the previous two months"(Greenberg, 2017b).
Not your typical attacks being used, but highly sophisticated attacks that can be put in the same category as Stuxnet. When discussing the previous attacks on UKrain's network, a Ukranian cyber security researcher was already identifying high level attacks. This is how he described an attack that occurred before NotPetya:
"Yasinsky managed to pull a copy of the destructive program from StarLight’s network. Back at home, he pored over its code. He was struck by the layers of cunning obfuscation—the malware had evaded all antivirus scans and even impersonated an antivirus scanner itself, Microsoft’s Windows Defender. After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highlighting commands to see its true form. Yasinsky had been working in information security for 20 years; he’d managed massive networks and fought off crews of sophisticated hackers before. But he’d never analyzed such a refined digital weapon"(Greenberg, 2017b).
Intention of Malware was not to Initiate Ransom
Within 24hrs, researchers around the world have determined that the ransomware code is being used to obfuscate its disk wiping purpose.
"its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak" (Goodin, 2017).
Additionally, researchers are making the determination that the ransomware code controls the media narrative. When there is only purpose of destruction, it helps removes the speculation of a state actor, and provides reason for a criminal organization.
"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon" (Goodin, 2017).
Why it's NOT Petya
The code is determined to overwrite the master boot record than encrypt it, therefore nobody can get their data back by paying the ransom.
"...contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible." (Goodin, 2017).