NotPetya ransomware, also known at PetrWrap, is a new virus currently ripping through Europe and is showing signs of moving onto the U.S. So far over 2,000 targets have been hit. These include Russia’s top oil producer, and Ukrainian Banks and Power Grid. Attacks have also been noted on the German Metro system, Denmark, France, Spain, and more. The name itself is derived from the original belief that this was a subset of the Petya malware on closer inspection, Kaspersky Labs has declared that this was incorrect and redubbed the new virus NotPetya.

Ground zero for the infection stemmed from a hack on the MeDoc accounting software. MeDoc is accounting software that has mandated use for tax purposes in Ukraine. The software contains a built-in update function. This morning MeDoc was updated and after the patch a series of background processes initiated. These processes reached out the NotPetya’s C&C systems and downloaded the ransomware. 30-40 minutes after the infection the targeted files are scanned for and encrypted alongside the Master Boot Record (MBR).

NotPetya is moving quickly using multiple attack vectors to infiltrate networks, once inside a secured network the ransomware is using the NSA’s ETERNALBLUE vulnerability – the same used by WannaCryMS17-010, WMI, and PsExec – to spread throughout the secured infrastructure. In addition to ETERNALBLUE, the file is also moving laterally through systems that allow PSEXEC to use Administrator rights. On top of this it also uses LSADump to get the Admin password to spread across the network, this last technique means it doesn’t even need to use ETERNALBLUE or the PSEXEC attacks to move through the network.

This allows NotPetya to hit Windows systems that have been patched up to current, including Windows 10 systems.

On infection, NotPetya scans for multiple file extensions including:

NotPetya Ransom MessageThese files and the system’s MFT are encrypted and a ransom message is displayed demanding $300 USD paid in Bitcoin.

One major difference between NotPetya and its predecessor WannaCry is the lack of a killswitch.

WannaCry was defeated by the discovery of a killswitch domain. It is thought that its developers used a VM with a specific domain to determine that the ransomware was sandboxed for development purposes. When the domain was detected the virus stopped replicating. NotPetya appears to detect if it is sandboxed in a VM but does not use a domain killswitch to do this.

In addition to this, NotPetya is changing its shell code to avoid detection by anti-virus (though many anti-virus programs do appear to be detecting NotPetya under alternative IDs). Additionally, the code produced by the exploit is cleaner than previous attempts in that it properly builds SMBv1 header packets.

One small ray of hope is that apparently, NotPetya uses a sleep timer post infection. Once the ransomware has hit a target computer it waits 30-40 minutes to begin encryption. Rebooting in this time period using a Windows recovery disk and fixing the MBR will clear the malware from memory and prevent being encrypted.

Another way to recover the MBR (Master Boot Record):

There are some reports that the following commands (entered on the command line) will help recover from NotPetya:

 bootrec /RebuildBcd
bootrec /fixMbr
bootrec /fixboot

If the MBR recovery is done after encryption this will restore the MBR, but unlikely to recover any encrypted files. This is obviously the more important step and efforts to find a decryption method are ongoing.

Additionally it’s possible vaccination is by creating a file in C:\Windows with the file name perfc will prevent the ransomware from running and was discovered by 0xAmit

Also – The initial location from which the malware seems to be download is in Iran, thus if you are GEO blocking Iran you should not get infected.

ThreatSTOP Customers:

  • Enable TSCritical General and TSCritical Ransomware IP Addresses in your policies to protect yourself from the Malware
  • Enable Geo Protection from Iranian IPs - [Update 2] This will not save you from NotPetya, but will defend from Krol Ransomware and the LokiBot. [/Update 2]
  • Disable SMBv1 If you have not done so yet.
  • Backup, Backup, Backup!

Yara Rules for NotPetya

 Update 1

Update 2

Some of the IP addresses blocked in our update for this ransomware outbreak are actually distributing lokibot and Karo Ransomware.

Update 3

Decryption of the data is impossible - Do not pay the ransom!

More details in the Kaspersky Labs blog and the Comae blog.

Final update

It's estimated that over 12,500 machines in Ukraine alone were infected by the ransomware. Computers in at least 65 different countries have been infected, with Ukraine, the United States, and Russia topping the charts for the most infections.

After infection and encryption of the files, there is no method available for decryption. This is due to several factors, including the cybercriminal's email address being disabled, and the possibility that the MBR/MFT are wiped. Therefore, it is absolutely pointless to pay the ransom. The only solution is to restore from backup.

The total damage created by NotPetya is limited compared to WannaCry, with the final tally showing that NotPetya pulled in $20k less than WannaCry in the first 24 hours. The infection rate was also significantly lower than WannaCry's 45,000 computers across 74 countries in the first 24 hours. It's expected the criminals behind NotPetya will see a much less significant return on investment than those behind WannaCry.

As NotPetya appears to be a targeted attack against Ukrainian infrastructure, ThreatSTOP feels that it's prudent, at this time, to recommend caution if you do business with Ukraine. The simplest way of mitigating the potential of infection for our customers is to enable the Geographic > Eastern Europe or Ukraine targets (pictured below) in your policy. If communication with known secure assets in Ukraine is needed, they can then be added to a whitelist for your firewall.

 Eastern Europe Geo Target.png
Regular Target List
Ukraine Geo Target.png
Expert Target List

For those without a ThreatSTOP account, you can sign up for a free 30-day trial of ThreatSTOP's services by clicking below:

Get Started

Subscribe to our blog to get updates and information about the latest threats around the Internet by entering your email in the Email Subscription box and clicking Sign me up!