Analysis & Opinions - Lawfare
Ransomware Remixed: The Song Remains the Same
Preview
Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and professionals (though nothing yet from the White House). We’ll probably blame the North Koreans, it likely wasn’t ISIS, and it may turn out that the Russians were behind the whole thing.
There’s a lot we still don’t know, but several facts have emerged. A series of ransomware infections that started in banks and utilities in Ukraine quickly spread into Russia and Belarus, then to Western Europe and the United States. Hundreds of organizations have been affected, from ports in New Jersey and New York, to the oil company Rosneft, the global shipping firm Maersk, and the UK media giant WPP. The current infections likely stem from a variant of a family of ransomware called Petya, spreading via the same vulnerability used by the WannaCry outbreak of just a few weeks ago. The degree to which this version actually resembles Petya, such that it should be labeled a variant, remains under debate. The new malware’s payload is the same as that of a recent version of Petya, but how it initially infects computers and some of how it spreads are new.
Unlike WannaCry, the current infection has quite a few tricks up its sleeve. It employs a rewritten version of the exploit used by WannaCry, originally developed by the NSA to target the decades-old SMBv1 networking protocol. Whereas WannaCry spread over the internet, the current ransomware appears designed to spread primarily over local networks. The source of the initial infection was a hijacked update to a popular piece of Ukrainian accounting software and a compromised website run by the city of Bakhmut, also in Ukraine. Where traditional ransomware encrypts individual files or the user volume (typically the C Drive in Windows), Petya encrypts the Master Boot Record(MBR) of a computer—basically the initial operating instructions for the machine. The ransomware then moves to encrypt the Master File Table (MFT), which acts as a central map for every file and directory on the computer.
While the Petya ransomware is nearly a decade old, the current infections are based on a much more recent variant called PetrWrap. PetrWrap took Petya as a starting point but added a new encryption mechanism and several techniques to spread and infect other computers, including abusing an administrative utility called PsExec. As another trick to fool targeted computers, this most recent ransomware added a forged Microsoft certificate to “sign” the code, verifying it as legitimate. (As a practical matter, simply patching against the SMBv1 vulnerability is not enough. Users need to block several networking utilities including PxExec and may also need to also apply the Microsoft Office patch released in April. For more on this point, see here.)...
Want to Read More?
The full text of this publication is available via the original publication source.
For more information on this publication:
Please contact
Cyber Project
For Academic Citation:
Herr, Trey.“Ransomware Remixed: The Song Remains the Same.” Lawfare, June 28, 2017.
The Author
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions
- Foreign Policy
Do Policy Schools Still Have a Point?
Report
- Belfer Center for Science and International Affairs
Democracy and the Liberal World Order Amid the Rise of Authoritarianism
Newspaper Article
- Harvard Gazette
Lessons for Today's Cold War 2.0 with Russia, China
In the Spotlight
Most Viewed
Analysis & Opinions
- Foreign Policy
America Fueled the Fire in the Middle East
Policy Brief
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Nuclear Terrorism Fact Sheet
Analysis & Opinions
- Bulletin of the Atomic Scientists
The Enormous Risks and Uncertain Benefits of an Israeli Strike Against Iran's Nuclear Facilities
Preview
Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and professionals (though nothing yet from the White House). We’ll probably blame the North Koreans, it likely wasn’t ISIS, and it may turn out that the Russians were behind the whole thing.
There’s a lot we still don’t know, but several facts have emerged. A series of ransomware infections that started in banks and utilities in Ukraine quickly spread into Russia and Belarus, then to Western Europe and the United States. Hundreds of organizations have been affected, from ports in New Jersey and New York, to the oil company Rosneft, the global shipping firm Maersk, and the UK media giant WPP. The current infections likely stem from a variant of a family of ransomware called Petya, spreading via the same vulnerability used by the WannaCry outbreak of just a few weeks ago. The degree to which this version actually resembles Petya, such that it should be labeled a variant, remains under debate. The new malware’s payload is the same as that of a recent version of Petya, but how it initially infects computers and some of how it spreads are new.
Unlike WannaCry, the current infection has quite a few tricks up its sleeve. It employs a rewritten version of the exploit used by WannaCry, originally developed by the NSA to target the decades-old SMBv1 networking protocol. Whereas WannaCry spread over the internet, the current ransomware appears designed to spread primarily over local networks. The source of the initial infection was a hijacked update to a popular piece of Ukrainian accounting software and a compromised website run by the city of Bakhmut, also in Ukraine. Where traditional ransomware encrypts individual files or the user volume (typically the C Drive in Windows), Petya encrypts the Master Boot Record(MBR) of a computer—basically the initial operating instructions for the machine. The ransomware then moves to encrypt the Master File Table (MFT), which acts as a central map for every file and directory on the computer.
While the Petya ransomware is nearly a decade old, the current infections are based on a much more recent variant called PetrWrap. PetrWrap took Petya as a starting point but added a new encryption mechanism and several techniques to spread and infect other computers, including abusing an administrative utility called PsExec. As another trick to fool targeted computers, this most recent ransomware added a forged Microsoft certificate to “sign” the code, verifying it as legitimate. (As a practical matter, simply patching against the SMBv1 vulnerability is not enough. Users need to block several networking utilities including PxExec and may also need to also apply the Microsoft Office patch released in April. For more on this point, see here.)...
Want to Read More?
The full text of this publication is available via the original publication source.The Author
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions - Foreign Policy
Do Policy Schools Still Have a Point?
Report - Belfer Center for Science and International Affairs
Democracy and the Liberal World Order Amid the Rise of Authoritarianism
Newspaper Article - Harvard Gazette
Lessons for Today's Cold War 2.0 with Russia, China
In the Spotlight
Most Viewed
Analysis & Opinions - Foreign Policy
America Fueled the Fire in the Middle East
Policy Brief - Belfer Center for Science and International Affairs, Harvard Kennedy School
Nuclear Terrorism Fact Sheet
Analysis & Opinions - Bulletin of the Atomic Scientists
The Enormous Risks and Uncertain Benefits of an Israeli Strike Against Iran's Nuclear Facilities
