Petnya Post-Mortem: Wiper, not Ransom

This wasn’t just another ransomware attack. It marks a pivot. Because these are the games nationstates play. With collateral damage and no impunity because attribution is hard. We left brick and mortar behind some time ago, when the battlefield moved to cyberspace, where there are no boundaries. Moreover, whatever previous rules of battle we followed do not apply.

There was a one-two punch, with the events out of the Ukraine Thursday morning.  Absolutely things were connected and we need to remember that going forward. Bigger picture. Because a lot is at play right now. From my vantage point, as a Poli Sci grad, cyber security is intrinsically tied to whatever is going on in the larger arena. National security. Global security. The whims of the powers that be dictate their machinations of technology, which has become their new and shiny arsenal. They’ve been at it for a while now, but unlike conventional physical battlefields, we don’t witness what plays out until we’re impacted.

What’s critical to me is that this attack was presented as ransomware to throw us off. As described by The Grugq:

This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”

This was actually a targeted attack against Ukraine, using malware that was highly destructive. This attack was never about making money. It was all about taking down systems and taking away access to essential service, as per this illustration from the blog post by The Grugq :

 

 

 

 

 

 

 

 

 

Think CIA – confidentiality, integrity, accessibility. Ransomware and wiperware go after accessibility. And in our world, downtime can equal death, figuratively as well as literally (think hospitals and critical infrastructure).  As Leslie Carhart says:

Blood is in the Water -Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.

 

 

 

 

 

 

There have been some excellent reviews of what this attack was about, and how the Eternal Blue exploit released via ShadowBrokers was yet again leveraged against unpatched systems. Key takeaways were:

  • Unpatched systems will continue to be our undoing and exploited. We’re more at risk now because of that cache of exploits being lobbed at us monthly via the ShadowBrokers.
  • Lateral movement within networks works for attackers and infection spread. Segment. Segregate. Flat networks are an attacker’s dream.
  • Multiple infection vectors. There were as many as 4 ways for the target to be compromised.
  • Backup and test how those restore. Don’t assume anything. And keep backups off the main network
  • Windows.  Everyone uses it. Powershell. Sysinternals. AD. PSExec. Let’s keep learning about these because the attackers sure as heck know what they can do with them.

We know what er are not doing well. It’s catching up with us. Let me end with these words of wisdom by Leslie:

Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.

And this sums it up:

 

 

 

 

 

 

These blog posts say everything I could ever want you to know, only better. Please read them:

The Grugq: Pnetya: Yet Another Ransomware Outbreak  .

Leslie Carhart @hacksforpancakes:  Why NotPetya Kep Me Awake (And You Should Worry Too)

Cisco Talos Blog: New Ransomware Variant Netnya Compromises Systems Worldwide

Advertisements