• Home
  • When's Ransomware Not Ransomware?
shutterstock_611317976.jpg

When's Ransomware Not Ransomware?

A few weeks ago, we saw a high profile ransomware attack in the form of WannaCry. If you missed it, WannaCry sought out vulnerable public facing SMB ports, used the EternalBlue exploit to inject shellcode into unpatched Windows XP, Windows 7, Server 2003 and Server 2008 machines, inserted the DoublePulsar backdoor exploit to establish persistence, and then installed the WannaCry ransomware to demand your money. 

The smart bit is that SMB ports communicate from machine to machine, so once WannaCry was in it could scan externally for more machines and propagate sideways into the rest of your network. Still with me...?

There are two unsurprising facts, and one fairly interesting, about what we saw with WannaCry:

  1. *Facepalm*- There was a readily available patch for these vulnerabilities in the MS17-017 Security Bulletin
  2. *Sarcastic Gasp*- We knew the bad guys had these exploits already because they were part of a well broadcasted ShadowBrokers dump of all the NSA cyber tools they’d managed to steal
  3. Say whaaaaaat?- It caused a massive fuss, but didn’t actually make a lot of money - estimated at less than $100,000

What you may have missed however, was what a hack discovered mere days later; Adylkuzz.

Less catchy a name there never was, but this clever little hack got into systems using the exact same vector. The only difference is that instead of installing ransomware and making it obvious that you’ve been hacked (big flashing banners and ‘PAY HERE’ buttons aren’t exactly subtle), Adylkuzz installed a cryptocurrency mining tool that siphoned off some CPU cycles to mine Monero (like Bitcoin) using your hardware.

It’s big business; Monero’s estimated market cap is circa $450 million and we have no idea exactly how much money Adylkuzz has made so far because it’s been running for months without anybody knowing. But, it’s been surmised that it’s already in the millions of dollars and growing.

Although WannaCry failed at making serious money, it caused problems in the NHS for a number of days and touched a few other corporate organisations across Europe too. This week though, we have a couple of new strains of “ransomware” under the guise of Petya.

Now you might be wondering why I threw up some quotation marks there? Half the reason is that I imagine Dr. Evil says “ransomware” just like he says “lazers”… but the other half is that Petya was really half-arsed when it came to getting paid. Thought to have been seeded through an accounting program called M.E.Doc in the Ukraine, Petya then uses that same EternalBlue exploit as WannaCry to post up its ransom note and bundles in a tool called LSADump which gathers passwords and credential data.

However, the ransom note contained one static address to a bitcoin pay page - unlike the individual addresses everyone got with WannaCry which made it much easier to track and shut down. Experts have noted that the Petya code was incredibly sophisticated, but the ransom note and payment method wasn’t far off “Please send Bitcoin to PO BOX 300, 76 Hackers Way…”.

This is when industry geniuses noticed that what we thought was Petya, was in fact…NotPetya!

The crime group behind the real Petya, Janus Cybercrime Solutions (yes really, they’re an actual Ransomware-As-A-Service company operating over their darknet website, who charge you a nominal registration fee and a set percentage of your ransom money for their centralised web platform and interface, analytics, tech support, and feature development in their beta programs), have come out denouncing this NotPetya strain. Janus Cybercrime Solutions' ransomware product only encrypts all your files, steals your passwords and asks you for money. Honour among thieves.

NotPetya has now been classed as a fast spreading wiper program, permanently deleting files rather than encrypting them - while causing huge outages for large global corporations that used M.E.Doc, like Maersk shipping, but also vast chunks of the Ukraine’s computer infrastructure.

So why bother pretending to be ransomware at all? The Erebus ransomware attack on Nayana (South Korean web hosting company) netted a cool $1 million by encrypting 150 of their servers for eight days; but WannaCry made next to nothing, only a handful of people bothered paying to get rid of Petya before their pay site was shut down, and by keeping quiet Adylkuzz might have made millions. So ransomware doesn’t seem to be making much money, just causing headaches.

The current thoughts are that it was a plausible deniability cover up for a state-sponsored cyber attack test, and also that it could have been a distraction while additional malware was seeded into other systems - a cover up, for a distraction, for a malware insertion…so meta.

Being involved in cyber security on a daily basis keeps Ultima’s finger on the pulse when it comes to the latest breaches, but also the latest defences. We don't often know the full extent of the damage for weeks or days after a hack, but prevention is better than a cure. From client and perimeter security using best of breed technology solutions, to process and policy definition and assessment with our industry leading Risk Management team to prevent people from being the problem - Ultima has got you covered.

We can install Windows updates too.

 - By Harvey Wood (Cisco Business Manager)
 
Harvey Blog.2.png

Related Resources