Analysis & Opinions - Lawfare

Ransomware Remixed: The Song Remains the Same

| June 28, 2017


Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and professionals (though nothing yet from the White House). We’ll probably blame the North Koreans, it likely wasn’t ISIS, and it may turn out that the Russians were behind the whole thing.

There’s a lot we still don’t know, but several facts have emerged. A series of ransomware infections that started in banks and utilities in Ukraine quickly spread into Russia and Belarus, then to Western Europe and the United States. Hundreds of organizations have been affected, from ports in New Jersey and New York, to the oil company Rosneft, the global shipping firm Maersk, and the UK media giant WPP. The current infections likely stem from a variant of a family of ransomware called Petya, spreading via the same vulnerability used by the WannaCry outbreak of just a few weeks ago. The degree to which this version actually resembles Petya, such that it should be labeled a variant, remains under debate. The new malware’s payload is the same as that of a recent version of Petya, but how it initially infects computers and some of how it spreads are new. 

Unlike WannaCry, the current infection has quite a few tricks up its sleeve. It employs a rewritten version of the exploit used by WannaCry, originally developed by the NSA to target the decades-old SMBv1 networking protocol. Whereas WannaCry spread over the internet, the current ransomware appears designed to spread primarily over local networks. The source of the initial infection was a hijacked update to a popular piece of Ukrainian accounting software and a compromised website run by the city of Bakhmut, also in Ukraine. Where traditional ransomware encrypts individual files or the user volume (typically the C Drive in Windows), Petya encrypts the Master Boot Record(MBR) of a computer—basically the initial operating instructions for the machine. The ransomware then moves to encrypt the Master File Table (MFT), which acts as a central map for every file and directory on the computer.

While the Petya ransomware is nearly a decade old, the current infections are based on a much more recent variant called PetrWrap. PetrWrap took Petya as a starting point but added a new encryption mechanism and several techniques to spread and infect other computers, including abusing an administrative utility called PsExec. As another trick to fool targeted computers, this most recent ransomware added a forged Microsoft certificate to “sign” the code, verifying it as legitimate. (As a practical matter, simply patching against the SMBv1 vulnerability is not enough. Users need to block several networking utilities including PxExec and may also need to also apply the Microsoft Office patch released in April. For more on this point, see here.)...

For more information on this publication: Please contact Cyber Project
For Academic Citation: Herr, Trey.“Ransomware Remixed: The Song Remains the Same.” Lawfare, June 28, 2017.

The Author