Believed to be a modified version of the once successful Petya ransomware, NoPetya seems to be a variant to the GoldenEye ransomware family with source code structuring nearly identical after initial analysis. Unlike its predecessors WannaCry and Petya, GoldenEye incorporates multiple encryption points on its compromised systems. Not only does GoldenEye target specific file structures in a system, but also encrypts critical NFTS structures while completely overwriting the MBR (Master Boot Record).
Unlike the WannaCry and Petay exploits, there is no kill-switch that is accessible in this strain. Moreover, various sources believe that the NoPetya/GoldenEye exploit is not a ransomware at all, but rather an APT (Advanced Persistent Threat) used for credential harvesting, backdoor propagation, and deployment of other malware Trojans. Seemingly, the malware appears to be driven more for political motives rather than the standard ransomware process of file encryption and payment for decryption.
Reports have indicated that the country to suffer the most from this recent attack is Ukraine. As previously mentioned, the NoPetya attack has been linked to various threat actors and campaigns. The specific threat actors have been identified as ‘Telebot’ and ‘Sandworm’ and are supposedly Russian state-sponsored actors. Additionally, the APT group ‘BlackEnergy’ has apparent ties to this global wide-scale attack.
Primary Attack Vectors
The principal means to deploy the malware is through spamming or ‘Spray & Pray’ campaigns and techniques. Once the un-suspecting victim downloads an infected attachment, often a corrupt PDF or Word document with malicious macro code, the ransomware conducts a series of checks and balances to determine whether the compromised system is susceptible to corruption. Additionally, cyber-security industry leaders have also discovered that that the initial spread was attributed to:
- Phishing and carefully crafted whaling/spear-phishing campaigns
- Capitalizing on un-patched Microsoft O.S’s
- Utilizing NSA’s Equation Group EternalBlue exploit
- SMB Port 445 Propagation
- Un-patched Ukrainian accounting software
Impacted Industries & Companies
The following industries and organizations have been deemed as compromised spanning over many geographical locations primarily European countries to include Poland, Italy, Germany and of course the Ukraine and Russia. The following list has been provided; however, this list is not exhaustive and spans far beyond this scope:
- DLA Piper
- Kiev Metro
- Duetsche Post
- Mondelez International
- Reckitt Benckiser
1. Backup, Backup, Backup! Conduct regular backups and enforce a Backup Policy & Procedure that performs daily and weekly backups in the form of incremental, differential, and full backups of all public facing servers and customer based operations. Moreover, store your backups in multiple locations both on-premise and in a cloud infrastructure. Backups should be encrypted at-rest and in-transit with primary PKI (Public Key Infrastructure) encryption keys stored in locations other than where the backups themselves are being stored.
2. Patch Management. It is critical that IT departments create a regular patching schedule and Patch Management system that should be enforced network wide. Sadly, a significant amount of compromised assets that fell victim to the previous WannaCry & Petya ransomware attack could have been avoided if the company or industry had simply applied basic patches that have been in circulation for months if not years.
3. Security Appliance Implementation. A network architecture both in cloud or bare-metal should employ properly configured security appliances. This includes downloading and installing the latest updates on signatures and hash values used by anti-virus end-point protection applications. Moreover, any network architecture should employ the following security appliances to help uphold security in-depth and in-breadth:
- IPS (Intrusion Prevention Systems)
- SIEM (Security Incident & Event Monitoring)
- HIDS/NIDS (Host/Network Intrusion Detection Systems)
- FW (Firewall implementation on edge and internal systems OSI 2/3)
- WAF (Web-Application Firewall at OSI 7)
- TIP (Threat Intelligence Platform)
- DLP (Dynamic Loss Prevention)
- Anti-Spamming/Phishing Rules
4. Cyber-Security Training. Annual and quarterly training should be held for all employees regularly to guarantee that that User Management implementation is fully understood. The greatest risk posed to any company is not external exploits but rather insider-threats and employees whether intentional or not. Often employees are un-aware of the dire consequences of downloading suspicious email attachments riddled with malware to their computer. Therefore, it is imperative that all employees undergo regular cyber-security training to remain up-to-date on the latest in cyber-security crime and relevant attack vectors.
5. Segmented Networks. IT administrators should strive to segment their network between different departments and functions. This includes sand-boxed internal servers utilized for reverse engineering and patch testing within a non-production environment. Additionally, the use of VLAN (Virtual LANs) should be configured within the segmented networks themselves for added protection. Properly architected VLAN’s support many added benefits to a network infrastructure to include easy automation, enhanced security functionality, less maintenance, less over-head, and extremely cost-effective.