The thing that started spreading from Ukraine yesterday afternoon was initially classified as a Petya variant or a WannaCry-style ransomware event. Twenty-four hours of analysis has converged the technical community on a different reading: this is not ransomware. It is a destructive wiper presented in the form of ransomware to confuse attribution and to delay defensive response. The implications, both operationally and strategically, are different from what was initially reported.
The technical reconstruction. The malware spreads via two mechanisms. First, the EternalBlue SMB exploit and the EternalRomance variant from the Shadow Brokers dump — same family as WannaCry — for hosts unpatched against MS17-010. Second, and more interestingly, lateral movement using legitimate Windows administrative tools (PsExec, WMIC) with credentials harvested from the local host using a Mimikatz-style technique. The second mechanism makes the malware far more dangerous in segmented enterprise networks than WannaCry was, because patched Windows hosts are not safe if a single unpatched host is present in the network and the credentials of an administrative user are reachable. The architectural assumption — that patching is sufficient — does not hold against this threat.
The encryption is the part that has been reanalysed today. The malware encrypts the Master File Table on infected hosts and presents a ransom demand for $300 in Bitcoin. The decryption process is, on the analysis published by Matt Suiche, Kaspersky, ESET, and several others (Kaspersky preliminary analysis, Securelist June 27, Matt Suiche's tear-down on Comae), structurally broken. The installation ID generated by the malware is random rather than derived from the encryption key, which means the operators cannot, in principle, produce a working decryption key from the installation ID. Whether the operators are aware of this is unclear; the practical effect is that paid ransoms cannot result in decryption. The ransomware framing is, the analysis is converging, a cover story rather than a genuine extortion operation.
The initial-access mechanism is the most strategically significant detail. The first wave of infections appears to have come through M.E.Doc, a tax-accounting software product widely used in Ukraine and required by Ukrainian regulation for many businesses operating in the country. The M.E.Doc update mechanism shipped, on the 22nd of June, a malicious update that included the wiper payload. The Ukrainian Cyber Police have confirmed this attack vector (Ukrainian Cyber Police statement, archived) and the M.E.Doc operating company, Intellect Service, has acknowledged that their update infrastructure was compromised. The supply-chain compromise is the structurally significant detail: the entry vector into thousands of Ukrainian businesses simultaneously was a trusted software-update mechanism. Once inside those businesses, the EternalBlue and credential-theft propagation took over and spread the malware further into the affected estates and into international subsidiaries.
The international spread is therefore predictable in shape. Maersk's global shipping operations, Mondelez (the makers of Cadbury, Oreo and so on), Saint-Gobain, WPP, Reckitt Benckiser, FedEx's TNT subsidiary, Merck — the list of major multinationals affected runs to dozens, and the operational disruption at each is substantial. Maersk has had container ports halted in multiple countries; FedEx-TNT shipping operations in Europe are crippled; Merck has had pharmaceutical production lines halted in some plants. The financial cost is going to run into hundreds of millions of dollars per affected major company, with the aggregate cost likely in the multi-billion-dollar range. The cleanup will take weeks for the larger affected organisations.
The attribution conversation is converging on Russian state involvement, with the targeting concentrated on Ukrainian organisations and the international spread as collateral. The technical signatures have overlap with previous Russian-state-attributed activity (the Sandworm cluster, BlackEnergy lineage) and the timing — the day before Ukrainian Constitution Day — is consistent with a politically-motivated operation. The attribution will firm up over the coming months through formal intelligence-community processes; the operational lessons do not depend on the attribution.
For the customer estates, the operational response is similar to WannaCry but harder. EternalBlue patching is the necessary first step but not sufficient — the credential-theft and lateral-movement mechanism means that an organisation can be fully patched against MS17-010 and still be devastated by NotPetya if a single infected host (perhaps an unpatched home laptop returning to the office, or a contractor's machine) is admitted to the network. The defensive controls that matter are the post-WannaCry patching cadence, plus credential-hygiene measures (no shared local admin passwords, rotation of credentials, segmentation that prevents administrative tools from spanning the network), plus blast-radius limitation (network segmentation that contains a credential-compromise to a single segment). The customer estates have varying degrees of these controls; the gap analysis from the WannaCry retrospective is now urgently relevant.
The wider strategic point — and this is the one I will be writing the longer piece on for the autumn — is that the ransomware-as-cover-for-destructive-attack pattern is a meaningful new category. The implications for incident response are substantial: an organisation hit by a ransomware-styled incident may not, in fact, be able to recover by paying or by decryption, may have lost the affected systems irrecoverably, and needs to be operating on the assumption of full data loss until and unless decryption is proven feasible. The NotPetya post-mortem playbooks for 2017 and 2018 will need to include this category explicitly.
The supply-chain piece — the M.E.Doc compromise — is the one that has me most uncomfortable. The trust placed in software-update mechanisms is, in 2017, almost universal: every customer organisation, every consumer system, every cloud platform receives signed updates from vendor infrastructure on a continuous cadence and processes them with elevated privileges. A compromise of the vendor infrastructure produces an attack surface that is co-extensive with the vendor's customer base. The defensive controls against this — vendor security verification, update-content monitoring, segmentation of update mechanisms — are not at scale across most organisations. NotPetya is the demonstration that this matters. The next supply-chain attack of comparable shape may well be against a vendor with a larger customer base, and the consequences will scale accordingly.
I will return to this. The cleanup tonight continues.