grandeduc - Fotolia

NotPetya ransomware trend moving toward sophistication

NotPetya represented advanced malware compared to its cousin WannaCry, but also showed sophistication that experts worry may be a ransomware trend.

The advanced malware techniques used by NotPetya may prove to be signs of a new ransomware trend that may signal more sophisticated attacks designed to mislead and avoid traditional defenses.

While NotPetya may have been aimed more at doing damage rather than making money, making it more wiper than ransomware, experts said the delivery and propagation techniques used show an increasing sophistication that may belie a ransomware trend. The NotPetya malware used multiple attack vectors, but experts said its use of legitimate software tools and protocols as the primary delivery method was impressive.

Paul Vixie, CEO of Farsight Security based in San Mateo, Calif., said NotPetya was "innovative in two important ways."

"First, because it targeted a mandatory watering hole in the form of a Ukrainian tax reporting site and its software update mechanism. This guaranteed a few hundred or perhaps a few thousand initial infections, and may indicate targeting of the Ukrainian economy," Vixie told SearchSecurity. "Second, because it had multiple lateral infection methods: not only trying the SMBv1 EternalBlue vulnerability that was patched by Microsoft in March 2017, but also scanning local memory for WMIC credentials, thus guaranteeing a large expansion of the infected population inside otherwise-secured enterprise networks."

Ransomware trend in delivery and spread

Bob Hansmann, director of security technologies at Forcepoint, said hijacking a legitimate update for tax assessment software MeDoc was "unique."

Paul Vixie, CEO, Farsight SecurityPaul Vixie

"We believe this initial infection vector has been via malicious code masquerading as a legitimate software update. While our researchers theorized this possibility last year, this is the first significant use of that method of infection," Hansmann told SearchSecurity. "It has proven frighteningly successful as software updates commonly use channels other than email or typical web downloads, presenting a challenge for traditional perimeter defenses."

John Shier, senior security expert at Sophos, said NotPetya could show a ransomware trend toward sophistication coming from "the combination of elements that we don't see very often."

"There was the malware itself which was a novel packaging of different malicious and non-malicious code. There was also the alleged supply chain compromise at a Ukrainian software company and the possible watering hole attack leveraging a compromised news site," Shier told SearchSecurity. "This points to some deliberate organization on behalf of the criminals and not just some random events."

Tod Beardsley, research director at Rapid7 based in Boston, said the use of standard Windows tools to propagate to patched systems could be a bigger ransomware trend.

Tod Beardsley, research director, Rapid7Tod Beardsley

"The sophistication of NotPetya lies in the initial attack vector -- the MeDoc hijacked update -- and the fact that it doesn't merely rely on exploits to spread. Instead, it uses the fairly commonplace administrative tools of PsExec and WMIC, coupled with a mimikatz build to steal credentials from memory," Beardsley told SearchSecurity. "While all of these techniques have been known for a while, we don't often see them employed in a widescale attack like this."

Jake Williams, founder of consulting firm Rendition InfoSec in Augusta, Ga., said this use of Windows tools was more difficult than it appeared.

"Specifically, the watering hole and automatic propagation through a domain was complex," Williams told SearchSecurity via Twitter. "In the case of the Iranian attacks on the Saudi networks (Shamoon) credentials were hardcoded into the malware for it to spread. Here, credentials were programmatically dumped from memory."

Hansmann said the potential ransomware trend in this lateral movement was unclear.

"To date, these samples have not been observed attempting to self-propagate to other organizations, instead confining this behavior to local networks. However, movement between trusted networks using stolen valid credentials on both the source and destination networks appears viable," Hansmann said via email. "It is not clear at present whether organizations that have a degree of trust between their networks and those of an external organization (e.g., a managed service provider) are at increased exposure or not."

Advanced malware masquerading as ransomware

Beyond the delivery and propagation techniques used by NotPetya, experts noted the use of ransomware to potentially distract from a more targeted attack may be something enterprises see more often.

Rodney Joffe, senior vice president, technologist and fellow at Neustar Inc., said the attackers appeared to be targeting "Ukraine, its economy and its citizens."

"The attackers seem to have identified (correctly) that an effective way of disrupting both the country's financial process, and its national economy was via the software mechanisms mandated for the payment of taxes. So they identified the software vendor, and carefully (in a sophisticated way) targeted the update process for the vendors software, and distributed the malware via the update on Tuesday," Joffe told SearchSecurity via email. "By definition, the only companies that would have been affected would be those that did business with the Ukrainian government. And unlike WannaCry, the malware's method of spreading once a system downloaded and updated the software was carefully limited to local LAN segments, not externally over the internet. This was not a high school science project."

By deploying a digital smokescreen, attackers more easily hide in the noise during an operation. Additionally, the true goals of the operation may remain hidden if defenders are overwhelmed with another (seemingly larger) attack.
Jake Williamsfounder, Rendition InfoSec

Beardsley said the value for an attacker attracting this attention makes most sense as a way "to publicize the attack itself."

"Ransomware, by its nature, is obvious, disruptive and attracts a lot of attention, all by design. Masquerading as ransomware, therefore, brings attention to what might otherwise be a quiet, localized disaster -- but the ruse wouldn't last long once analysis is complete," Beardsley said. "One side effect of this tactic is that users might become even more wary of paying off ransoms in general, and that can only be a good thing. If people get more suspicious that attackers have no capability or intent to offer decryption, that can translate to less bitcoin in the wallets of criminal organizations."

Shier said these types of distraction attacks are "nothing new."

"We've seen criminals use this type of tactic in the past and often the motives aren't clear until much later. Ransomware is a very visible type of attack so it makes some sense to use it in this way" Shier said. "This is why it's very important to resist the temptation of quickly stating attribution and motive."

Hansmann said attack methods will continue to evolve and ransomware trends may lean toward "including the evasive methods to hide their activity, as well as their true intent." 

"The trick will be to better understand the 'human' points in these attacks. The intent or motivations of the attackers can range broadly, including financial gain, revenge, political or hacktivism. Understanding these intentions can help shape our security strategies," Hansmann said. "This is a key part of how researchers predict future shifts in the threat landscape, and how they foresaw the risk of infection through a compromised product update last year. Understanding your organization's 'human point' can produce more effective security strategies." 

Williams said it was likely a ransomware trend to come from NotPetya will be using "nuisance attacks [to] cover larger cyber warfare objectives."

"I think it helps to think of this type of attack as a smokescreen. With cybersecurity getting better in most organizations, the likelihood of even advanced attackers being caught during any operation is increasing," Williams said. "By deploying a digital smokescreen, attackers more easily hide in the noise during an operation. Additionally, the true goals of the operation may remain hidden if defenders are overwhelmed with another (seemingly larger) attack."

Next Steps

Learn tips on future-proofing your applications.

Find out some key lessons from the NotPetya ransomware attack.

Get info on other cybercrime trends pointing to increased sophistication.

Dig Deeper on Threats and vulnerabilities