vali_111 - Fotolia

Tax software backdoor allowed NotPetya ransomware attacks

Researchers analyze the software backdoor used to deliver NotPetya ransomware to Ukraine targets, while the threat actors behind the attacks ask for more money.

The worst of the NotPetya ransomware attacks appear to be over, and researchers have uncovered more details on how the threat actors initially spread the malware and how they may be attempting to cash in on it.

While the branding for the recent Petya-like attacks has only gotten worse -- with Nyetya and EternalPetya joining NotPetya, nPetya, ExPetr, PetrWrap, GoldenEye, Petya.A and others in the names used -- researchers found multiple software backdoors in the M.E.Doc tax program used to spread the poison update that included the malware.

The analysis of the NotPetya ransomware code itself has led to debates over the aims and skills of the threat actors behind the attacks. Researchers found the NotPetya code had been altered to destroy data, rather than allow for easy decryption, as one would expect from ransomware. Some experts said this functionality was intentional, while others said the changes were merely bugs and cited Hanlon's razor, which advises that one should never attribute malice to that which could adequately be explained by stupidity.

While it is unclear if the threat actors responsible for the NotPetya code were the same as those who created the software backdoor in M.E.Doc, Anton Cherepanov, senior malware researchers for ESET, said the M.E.Doc attackers made a "stealthy and cunning" backdoor.

"The backdoored module does not use any external servers as [command-and-control]: it uses the M.E.Doc software's regular update check requests to the official M.E.Doc server[.]ua. The only difference from a legitimate request is that the backdoored code sends the collected information in cookies," Cherepanov wrote in a blog post. "And, of course, the attackers added the ability to control the infected machine ... This remote control feature makes the backdoor a fully featured cyberespionage and cybersabotage platform at the same time."

Cherepanov noted that there were "at least three updates that contained the backdoored module" released in 2017, and the threat actors behind this software backdoor would have needed access to the M.E.Doc source code in order to make these changes.

Researchers at Cisco Talos confirmed the analysis by ESET and said the software backdoor code might have been used to deliver the NotPetya ransomware attacks.

"An unknown actor had stolen the credentials of an administrator at M.E.Doc. They logged into the server, acquired root privileges and then began modifying the configuration file for the NGINX web server. We were unable to recover the nginx.conf file, as it was subsequently overwritten, but additional log files were important in understanding what was changed," Talos' researchers wrote. "At this point, we understood that the actor in question had access to much of the network and many of the systems of M.E.Doc through compromised credentials. The questions remaining were: What were they doing with control of the upgrade server? How were they delivering the malicious software?"

NotPetya bitcoin and decryption

Victims of NotPetya were warned early on to not pay the ransom, partially because the ransomware support email was quickly disabled, but also because of the changes found in the NotPetya code that made the malware more of a wiper than proper ransomware.

As such, fewer than 50 payments had been made to the bitcoin account associated with the attack by July 4, 2017, when the wallet balance -- approximately four bitcoin -- was transferred to another account.

After cashing out, the alleged threat actors behind the NotPetya ransomware attacks asked for 100 bitcoin in order to release the decryption key:

Researchers from F-Secure noted that decryption would be possible with the private key and also with a separate decryptor tool because there was none included with the original ransomware.

F-Secure said file decryption should be possible, provided that files are enumerated in the exact same order as during encryption; the disk's master file table wasn't destroyed by the other malware components; and if file encryption was only performed once.

Next Steps

Learn some key lessons from the NotPetya ransomware attack.

Find out how NotPetya ransomware raised the stakes.

Get info on how ransomware trends are moving toward more sophistication.

Dig Deeper on Threats and vulnerabilities