The outbreak of the ExPetr malware isn’t a ransomware attack, but more precisely, it’s a wiper attack that sabotaged PCs globally, overwriting their Master Boot Record forever.
That’s the analysis of security experts from Kaspersky Lab and Comae Technologies who shared their latest research on this week’s outbreak Thursday during a webinar, below.
“We actually consider this a sabotage attack or wiper attack. Whether it is intentional or not, I’ll leave that to others to speculate,” said Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab. “You can’t call an attack, with no possible way of decrypting files, a ransomware attack,” he said.
According to Comae Technologies researcher Matt Suiche, there is bug in the malware’s encryption code that prevents any decryption key from working. That is something independent of the fact the German email provider Posteo shut down the attacker’s email address preventing victims from contacting the attacker in order to have payments verified.
“The actual function to encrypt files contains a logic bug. Because of the way the malware encrypts the data, it makes it impossible to decrypt the files properly, assuming there was a decryption key,” Suiche said during the webinar.
The good news about the outbreak is the initial attack wave is over. Suiche said most of the damage from ExPetr has already been done. “So, if you haven’t been effected by now it’s very unlikely you are going to be,” he said. The initial infection, unlike WannaCry, was one big wave, he said.
Both researchers acknowledged that unraveling this malware has been confusing, with many conflicting reports on infection vectors and competing malware names ranging from NotPetya, ExPetr, PetrWrap, GoldenEye and others. Suiche and Guerrero-Saade said there is no evidence that attacks were email-based, as originally reported by others.
ExPetr’s original infection vector involved the update mechanism for Ukrainian financial software provider MEDoc. Kaspersky Lab also reported a government website for the city of Bakhmut in Ukraine was also compromised and used in a watering hole attack to spread ExPetr via a drive-by download.
Attackers then leveraged a variant of the Mimikatz to steal administrator credentials and spread laterally within a network and across connected domains via open port 445 or 139 connections. It then tries to execute the malware remotely using either PSEXEC or WMIC tools.
Unlike with WannaCry, where a kill switch neutralized the spread of the ransomware, no such mechanism exists for ExPetr. Instead, some within the security community are advocating the use of a localized kill switch that can stop ExPetr from infecting a single PC with the creation of a read-only file named “perfc” placed in the C:\windows\ folder.
Both researchers Guerrero-Saade and Suiche caution this is a temporary fix, noting large-scale attacks occur in several waves.
“The idea of a vaccine seems appealing at first, but I think a lot of what is being pushed about is snake oil hindsight. There is nothing preventing the attackers from changing that one file name in a second wave or throwing a random number generator into the malware,” Guerrero-Saade said. “Then your vaccine doesn’t work. I don’t like giving a false sense of security to network administrators.”
Mitigation recommendations for future ExPetr variant attacks include a hardening of security around an enterprise’s Active Directory, paring back user privileges, disabling SMBv1 and applying all associated patches such as Microsoft’s MS17-010.