It’s been a busy several weeks for myself, an architect in the IoT Security industry, and others in similar roles around the globe. The WannaCry ransomware opened the floodgates and out came threats from ‘Hidden Cobra’ and now NotPetya. And we expect more to follow. Due to the chain of events, many consider all these attacks to be some variant of the attack that preceded it. While there are similarities, NotPetya is very different from WannaCry. So much so that categorizing NotPetya as a ‘ransomware’ is simply incorrect. ‘Wiper malware’ or ‘wiperware’ would be the more accurate description.
Here are several areas where NotPetya differs from WannaCry and how you should plan your security accordingly:
Patient Zero – NotPetya is suspected to have started its infection by compromising a software update of an accounting software named MeDoc. The software has a built-in update function that likely was compromised to deliver the malware payload. The method of initial infection is very different from past ransomware infections in that no spear phishing emails or malicious URLs were used. This approach exemplifies how this attack was very targeted, going after users of specific software. Unfortunately, such approach would bypass traditional email security and Web Security Gateways scanning for malicious URLs.
Spread of Infection – NotPetya spreads via EternalBlue/EternalRomance exploits, as made famous by WannaCry ransomware. However, NotPetya can also spread by searching for and finding admin credentials in the infected machine. If found, such an approach can provide unrestricted access to other devices in the network. The use of PsExec and WMIC to spread infection in this manner differs from that of WannaCry ransomware. Organizations now have additional infection methods that they need to defend against.
Ransomware vs. Wiperware – Despite NotPetya exhibiting the typical traits of a ransomware, it is not ransomware. First, NotPetya relies on a particular email for payment of the ransom. As expected, this email was promptly shutdown by the service provider, disabling the ability to make payments. Second, if the infection spreads via stolen admin credentials as noted above, NotPetya can encrypt and modify the entire Master Boot Record (MBR) of the boot drive, rendering the device unable to boot. In this scenario, the decryption key will not help recover the system. So, the motivation behind this attack is not financial but rather to delete data and/or disable the targeted device.
I have been busy ensuring that the ZingBox solution can monitor and detect the various behaviors of NotPetya. However, even without our solution deployed, there are some precautions you can take:
- Disable SMBv1 if possible
- Block PsExec or WMI usage for remote execution if possible
- Block ports 135 and 445 access from non-IoT devices to IoT devices
- Segregate security groups for non-IoT hosts and Windows-based IoT devices
- Withdraw admin rights of Windows-based IoT devices from non-IoT hosts
With a barrage of recent attacks, it’s easy to inadvertently categorize and group different malwares into the same bucket. In fact, that is another strategy of these attacks. Stay vigilant and check back for more updates.