Hot on the heels of the global WannaCry outbreak in May, yesterday saw a wave of what looked like copycat malware sweeping the globe again. However, on closer inspection there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques from WannaCry.
The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on facebook). This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage.
The fact that the malware was set to wait five days before triggering on the 27th June, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also lends circumstantial weight to the proposition that the attack was targeted primarily at victims in Ukraine.
Some of the names of prominent global victims, WPP, Maersk and Saint-Gobain for example all have offices and operations in Ukraine and are likely users of MEDoc, some have even posted job ads for accounting specialists with MEDoc skills. Also Rosneft, Russia’s state-owned oil company, although not necessarily corporate users of MEDoc, still have a presence in Ukraine and thus may be exposed to MEDoc within their network.
It seems that this cyber-attack is following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine and encompassing organisations and partners of organisations who have a presence in Ukraine.
The creators of this particular malware, borrowing code from Petya, reusing exploits abused by WannaCry, adding password hash harvesting and two further network propagation techniques, using code obfuscation and fake Microsoft certificates are clearly skilled and experienced. The possibility of this latest outbreak being traditional financially-motivated online crime, at least at surface level, seem obvious but for one thing; the ransom payment mechanism.
Why does the payment mechanism rely on a single hard-coded Bitcoin wallet, and the transmission of an email containing the victim’s bitcoin wallet ID and “personal installation key” (a handy 69 characters that can’t be copy/pasted) to an email address that was always going to be rapidly shut down by the entirely reputable hosting company Posteo based in Berlin? It’s almost as if the creators never intended to reap the financial rewards…
So far, all the highly-effective propagation mechanisms are finely-tuned for internal network-based spread at a rapid pace. There does not appear to have been a major external facing campaign to deliver this payload beyond the user base of MEDoc software.
If your organisation has a presence in Ukraine, or has immediate partners who do business in Ukraine, then you should consider yourselves directly at risk. Outside of this immediate group, while your risk level from this particular attack drops significantly, there’s no such thing as a cast iron guarantee and it only takes on device on your network to start a devastating outbreak. The six degrees of Kevin Bacon after all demonstrates how few links apart we all are (my own Bacon number is 3).
For technical details about this outbreak and advice on how best to mitigate please see our constantly updated Petya (2017) Ransomware Attack Information and our FAQ. For a technical analysis of the malware in question, have a look at our Security Intelligence blog.
For general advice on ransomware and access to free industrywide decryption tools, please visit nomoreransom.org.