Canadian infosec pros have been crossing their fingers today that all their Windows systems are patched to block what is now appears to be a world-wide infestation of ransomware worm that exploits a Windows vulnerability that helped spread the WannaCry ransomware a month ago.
The attack started early Tuesday local time in Ukraine and Russia and has spread to computers in the United States, the U.K., Spain, France and India. According to Microsoft, which details the attack, at least some of the initial infections started when Ukrainians used the legitimate updating process for tax software called MEDoc. This has led to some speculation the real targets of the attack were organizations in Ukraine, and the global spread was a secondary result.
According to experts by mid-Wednesday 12,500 devices in 65 countries had been infected by this strain, called either ExPetr or NotPetya by researchers because it is similar to but not identical to the Petya ransomware. Others say it isn’t ransomware at all –despite the ransom note that pops up — but destructive malware that wipes hard drives.
As of this writing (5:10 pm Eastern Tuesday) there were no reports of it hitting Canada, although there is no reason to believe the country will be completely spared. UPDATE: As of 10 am Wednesday there had been no publicly announced detections here. However some foreign-based victims — for example candy manufacturer Mondelez, which includes brands such as Cadbury’s and Oreo, and WPP, one of the world’s biggest advertising and P.R. firms, have Canadian offices. They didn’t detail where their machines have been infected.
Companies that haven’t heeded the warning from the WannaCry outbreak and installed Microsoft’s MS17-010 patch yet are likely to fall victim of this latest attack. Like WannaCry, this new strain searches for vulnerable machines on a network once it has infected a device. Unlike WannaCry it collects all saved Server Message Block credentials on the system and uses them to log onto other machines on the local network. LogRhythm has written this blog with details.
In fact Daniel Tobok, CEO of Toronto-based cyber consultancy Cytelligence, said this latest attack shouldn’t have been a surprise. There were warnings of the new strain three weeks ago on the underground criminal network called the Dark Web when someone was peddling what was called “an evolution of WannaCry,” he said in an interview.
Security vendors are warning victims not to pay the ransom because a German email provider has shut down the e-mail address that was supposed to be used to contact blackmailers, confirm bitcoin transactions and receive decryption keys.
Kaspersky Labs said in a statement that its telemetry data indicated around 2,000 attacked users so far. The statement didn’t make clear if those were successfully attacked, or just detected an attempt. Kaspersky dubs the strain ExPetr because it has some similarities to the Petya ransomware. Other security vendors call it NotPetya.
(Screen shot from Kaspersky)
According to Sean Dillon, senior security analyst at RiskSense, like WannaCry this new strain of ransomware owes its heritage to the alleged theft of exploits created by the U.S. National Security Agency and apparently leaked by a group calling itself the Shadow Brokers. WannaCry took advantage of one Windows hole, which Microsoft had patched with MS17-010. However, Dillon said ExPetr has multiple vectors for spreading laterally through networks.
“WannaCry only leveraged [what NSA called] the EternalBlue exploit, also called the Double Pulsar backdoor, this leverages multiple exploits from the Shadow Brokers leak, as well as built in functionality to attack Windows. Windows allows you to log on to other computers on the network. A lot of organizations re-use passwords on many machines because it’s easier than looking up passwords. But this malware can leverage that to log into other machines, even those that have the MS17 patch.”
Also, while WannaCry only encrypted documents, ExPetr scrambles an entire machine.
“We’ve never seen a worm that uses so many techniques,” Dillon said.
In it’s statement Kaspersky said that preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality.
Marc-Etienne Léveillé, a Montreal-based malware researcher for anti-virus maker ESET, said in an interview the victims in Ukraine ran a financial software called MeDoc. It isn’t clear if that’s a coincidence or a factor in the spread of the worm, but it has led researchers to suspect that the initial infection of machines starts with a malicious email link or attachment.
What his company has found so far is that ExPetr encrypts a machine’s boot sector to hamstring an entire Windows machine. Also, unlike WannaCry it doesn’t communicate with a command and control server, which was a weakness in WannaCry.
UPDATE: Kaspersky Lab researchers now say the Ukrainian website for the Bakhmut region was hacked and used to distribute the ransomware to visitors via a drive-by-download of the malicious file. “To our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update.”
Coincidentally the release of ExPetr came the day after Kaspersky released a report on ransomware trends for the 12 months ending in March. The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4 per cent compared to the previous 12 months, it noted.
“The extortion model is here to stay,” it concluded. “More stable growth, which is at a higher level on average, could indicate an alarming trend: a shift from chaotic and sporadic actors’ attempts to gain foothold in threat landscape, to steadier and higher volumes.”
In a statement Varun Badhwar, CEO and co-founder of RedLock, a cloud infrastructure security company, said it is “alarming” that another large-scale global ransomware attack has emerged. It is evidence “that organizations worldwide are still not taking cybersecurity as seriously as they should.”
The recent attacks associated with WannaCry and ExPetr have re-enforced the lack of accountability and focus on basic IT and security fundamentals, James Carder, CISO of security vendor LogRhythm, said in a statement. “Core IT operational competencies, such as patch management, backups, disaster recovery, and incident response are not well implemented or maintained. These are absolutely essential in protecting your company from damaging cyber threats and without them, you are left in a perpetually vulnerable state, a sitting duck for these types of attacks, merely hoping that you aren’t compromised.”