Stolen NSA tool behind another global ransomware attack
- By Sean D. Carberry
- Jun 27, 2017
One of the exploits allegedly stolen from the National Security Agency and leaked by the mysterious TheShadowBrokers entity is behind another global ransomware attack affecting banks, power companies and shipping giant Maersk, according to cybersecurity researchers.
The "Petya" ransomware has hit Europe primarily, and Ukraine appears to be getting the worst of it so far. The state power distributor, banks and Chernobyl's radiation monitoring system have all been affected.
Like WannaCry, once Petya enters a device, it spreads like a worm through entire networks looking for other vulnerable devices. But experts say the code is more sophisticated than WannaCry.
"Petya is a ransomware family that works by modifying the Window's system's Master Boot Record (MBR), causing the system to crash," Rick Howard wrote on Palo Alto's Unit 42 blog "When the user reboots their PC, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim."
The ransom demand is $300 in Bitcoin.
"Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm," continues the blog post. "The WannaCry attacks in May 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received."
In March, Microsoft issued a patch that protects against the EternalBlue exploit used in the WannaCry and now the Petya attacks. In addition, disabling the Microsoft Server Message Block protocol also protected devices from WannaCry.
"It appears that many companies may have put off patching, instead relying on a signature to detect and prevent the malware from executing," Curt Dukes, former head of information assurance at the NSA, told FCW by email.
"Unfortunately, the adversary re-purposed the malware, perhaps changing the signature (detection capability), and replayed the attack," he added, saying that it is unclear whether or not the Microsoft patch is ineffective in this case. "It's also possible that the adversary looked closely at the [Microsoft Service Message Block] component and found another vulnerability that evades the patch."
F-Secure Chief Researcher Mikko Hypponen tweeted that patched systems are vulnerable because "Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC."
Dukes, who is now executive vice president at the Center for Internet Security, said the sophistication of the new ransomware suggests an organization with the development budget to be able to weaponize the EternalBlue exploit.
He added that organizations that were not affected by WannaCry are not necessarily immune from Petya.
"Security staff should always assume the developer, or other criminal elements will learn from defensive measures that have been implemented and come at them again," said Dukes. "It appears that the criminal element has removed many/most of the shortcomings with WannaCry into a new piece of malware."
Department of Homeland Security spokesperson Scott McConnell said DHS is monitoring the attack and "is coordinating with our international and domestic cyber partners. We stand ready to support any requests for assistance."
The Department of Defense said it is also tracking the ransomware, but officials would not comment on whether its devices have been patched or if any of its systems have been affected.
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.