Security experts are still piecing together clues from the massive global cyber pandemic that occurred on June 27.
As we explained in a previous post, the cyberattack — called “NotPetya”— mostly targeted Eastern Europe. At least 60 percent of infections reported to Kaspersky Labs were aimed at Ukraine. However, Russia, Denmark, Norway, the U.K., India and the U.S. were all targeted as well.
One company that is closely investigating the NotPetya pandemic is CyberArk Labs. The company believes that when all is said and done, this new attack could surpass the June WannaCry episode that caused more than $4 billion in damages to global organizations.
So, what exactly happened on June 27?
CyberArk Labs believes that on this date, the Ukrainian government and several large enterprises were targeted by a highly-coordinated ransomware attack — a type of malware that spreads very quickly across a network, locking computer endpoints and demanding payments through a crypto currency like Bitcoin.
According to CyberArk, the first wave of the attack was deployed by hackers who were already inside of the networks they were targeting.
“These attackers were on the network for some time and used this reconnaissance time to plan and coordinate the attack for maximum effectiveness,” stated CyberArk Senior Director of Cyber Research, R&D Yaacov Ben Naim.
Experts believe that NotPetya exploits the same “ETERNALBLUE” SMB vulnerability that WannaCry used to cascade across private networks.
Even companies that patched the ETERNALBLUE vulnerability are still susceptible to the NotPetya ransomware.
“NotPetya was disseminated via the compromised software update service from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government,” stated Mohammad Tabbara, Senior Systems Engineer, UAE & Channel at Infoblox in a recent infoTECH Spotlight article. “The malware spread to more than 12,000 systems in Europe and the Americas. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE. The SMB exploit is the same method used by WannaCry ransomware, and Microsoft had already released a patch for the vulnerability.”
NotPetya also contains an embedded Mimikatz module, a utility that helps to extract plaintext passwords, PIN codes, hash and Kerberos tickets.
Once NotPetya was deployed inside of the Ukranian government’s networks, the majority of targeted systems crashed within just one hour after the attack launch. Then, subsequent attacks spread into Russia before expanding globally through phishing emails.
A big reason why the malware was so effective is that after the ransomware spread, it would wait a random amount of time, between 10 and 60 minutes, before rebooting the system. This caused each the slim boot loader to deploy, encrypting the Master Boot Loader and preventing users from restarting their systems.
Who is responsible for the cyberattack?
As of right now, the responsible party is still unknown. However, a public statement was recently posted on the dark Web from a group claiming to be responsible for creating the NotPetya software. According to CNET, group demanded a payment of 100 bitcoin (or about $250,000) in exchange for a decryption key that could unlock any file under NotPetya’s control.
At the beginning of the NotPetya pandemic, hackers were only asking for about $300 per locked machine. Experts believe that the price increase could be an indicator that nation-state attackers could be behind the attacks, although this is still just a theory.
A new breed of hacktrepeneurs has awoken and they have little to fear and everything to gain by infecting as many companies as possible and extorting money from them. Apex Technology Services stands ready to protect your company regardless of whether it’s located in New York City; White Plains, New York; Connecticut; Australia; Europe; or anywhere else. Our full suite of cybersecurity and IT support services is at your disposal, enabling you to spend less time worrying about and more time growing your business.
To ensure your security, consider one of our most popular services — Auditing & Documentation — which pinpoints vulnerabilities in your infrastructure, process flow and internal security procedures.