Not pretty, NotPetya. What lurks in the shadows?
This week, the plot (and there almost certainly is one) has well and truly thickened.
We are not going to repeat our advice to stay calm and keep patching as detailed in numerous previous blogs. Instead we want to have a look at some of the murkier facts that need to be examined if we are to get to the bottom of any of this.
Firstly let us take the Petya malware infection. It looks like this was targeted at Ukrainian businesses on 27/28 June (the initial infection method seems to be Ukraine specific Tax software), it pretended to be Ransomware, but in fact was just for disruptive purposes. We think we know it was only for disruption rather than revenue generation because the payment platform (to decrypt yourself should you be silly enough to pay) dissolved into nothing very early on.
June 28th is Constitution day in Ukraine which makes the whole thing look like a nation state (you all know who) activity. But is it?
If this was a ‘targeted’ attack, it would be fair to say that it has overstepped the mark. Collateral damage has been high. Amongst the reasons for this might be the infection via the Office exploit (CVE-2017-0199) alongside lateral traversal using the EternalBlue (think WannaCry SMB1) exploit as well as the highly effective and yonks old ‘Golden Ticket’ or ‘Pass The Hash’ technique, read all about that here.
The primary question that this raises is: ‘Is this targeted with collateral damage or target practice’? Time will tell, our advice around ransomware and malware remains the same as it has always been. The community jury is out.
Let us add some more murkiness. As discussed in last weeks’ blog, many security outfits have been predicting the next wave of Shadow Brokers activity in early July (as announced by the crims themselves).
Well Taa-Daa. As bad luck would have it, the bad boys made the following announcement just yesterday. As usual delivered in pidgin Russian (because we all believe that the Russians are behind everything, don’t we?), as well as the usual self defending ‘we are doing you all a favour’ messaging the brokers (mwahahaha) did the following:
- Announced a new VIP service for the discerning organised crime group
- Mocked the FBI for trying to Phish them
- Took the gloves off in their public spat with @drwolfff who we believe to be something to do with a cyber security outfit based in the Middle East. The banter is quite amusing, read it here.
The only thing we can be sure about is that chaos is certain and more is to come. The world has turned on its head but the sky hasn’t yet fallen in.
Try and stay safe. Be prepared. We will let you know what we know, as quickly as we can. Here is our update on Not/Niet/Nichts/ – Petya.
If you would like to discuss this unfolding nightmare or maybe have a little cuddle, please contact us at: [email protected] or call 020 7517 3900.