Nyeta - Not Petya
- 2 minsBack in mid 2016 we saw the first major variants of ransomware attack healthcare entities across the globe. Since then there has been more and more malware that attacks solely on unpatched network vulnerabilities. From my previous posts, the WannaCry ransomware attacked the SMBv1 vulnearbility and annihilated everything in its path. In the past month there was another ransomware attack that some say originated in Ukraine and looked to attack most energy companies/factories as well as major corporations. These new malware variant was different enough from the Petya family, that most researchers are calling it Not Petya or GoldenEye. The malware similar to WannaCry uses EternalBlue which was released by the Shadow Brokers as well as: EternalRomance, WMI, and PsExec for lateral movement across the infected network.
When the malware infected a given user, it was requesting Bitcoin as normal to a given email address. Within an hour or so the mailbox that was used for payment verification was shut down by the posteo.de. Thus, all payments became useless for gaining a decryption key.
As specified earlier, Nyetya has multiple mechanisms that are used to propogate across the network once activated. First is EterenalBlue which as stated was used with WannaCry. Next is EternalRomance, which is an SMBv1 exploit which was also leaked by the ShadowBrokers. PsExec is a legit Windows admin tool that is used most likely for the code execution/commands. WMI is the Windows Management Instrumentation which is a legit Windows component. All of these tools used together make an attempt to install and execute a file “perfc.dat” on other devices to spread laterally. For systems that have not been patched for the MS17-010 vulnerability then the EternalBlue and EternalRomance exploits and leveraged. Both of these exploits also use a version of DoublePulsar similar to WannaCry to run a persistent backdoor in kernal space of the compromised system. The attacker only modified a few bytes from the original version, yet it now allowed it to evade network detection and the open source scanning tools.
Once the system is successfully compromised, all files on the host are encrypted using RSA 2048-bit encryption. It then attempts to gain admin priveledges via SeShutdownPrivilege and SeDebugPrivilege. If it is successfuly, Nyetya then overwrites the boot sector without first saving a copy. If fails, then it wipes the first 10 sectors of the disk drive.
More in detail information can be found on the ongoing investigation by Cisco Talos and Kaspersky Labs.
