Rapid cyberattacks like Petya (aka NotPetya) and WannaCrypt have reset our expectations on the speed and scope of damage that a cyberattack can inflict. The Microsoft Enterprise Cybersecurity Group Detection and Response team worked extensively to help customers respond to and recover from these kinds of attacks. In 2017, among the global enterprise customers that we worked with, these rapid cyberattacks took down most or all IT systems in just about one hour, resulting in $200M – 300M USD of damage at several customers.
Attackers assembled several existing techniques into a new form of attack that was both:
Fast – Took about an hour to spread throughout the enterprise
Disruptive – Created very significant business disruption at global enterprises
The Petya attack chain is well understood, although a few small mysteries remain. Here are the four steps in the Petya kill chain:
Prepare – The Petya attack began with a compromise of the MEDoc application. As organizations updated the application, the Petya code was initiated.
Enter – When MEDoc customers installed the software update, the Petya code ran on an enterprise host and began to propagate in the enterprise.
Traverse – The malware used two means to traverse:
Exploitation – Exploited vulnerability in SMBv1 (MS17-010).
Credential theft – Impersonated any currently logged on accounts (including service accounts). Note that Petya only compromised accounts that were logged on with an active session (e.g. credentials loaded into LSASS memory).
Execute – Petya would then reboot and start the encryption process. While the screen text claimed to be ransomware, this attack was clearly intended to wipe data as there was no technical provision in the malware to generate individual keys and register them with a central service (standard ransomware procedures to enable recovery).
Although it is unclear if Petya was intended to have as widespread an impact as it ended up having, it is likely that this attack was built by an advanced group.
Attackers assembled several existing techniques into a new form of attack that was both:
Fast – Took about an hour to spread throughout the enterprise
Disruptive – Created very significant business disruption at global enterprises
The Petya attack chain is well understood, although a few small mysteries remain. Here are the four steps in the Petya kill chain:
Prepare – The Petya attack began with a compromise of the MEDoc application. As organizations updated the application, the Petya code was initiated.
Enter – When MEDoc customers installed the software update, the Petya code ran on an enterprise host and began to propagate in the enterprise.
Traverse – The malware used two means to traverse:
Exploitation – Exploited vulnerability in SMBv1 (MS17-010).
Credential theft – Impersonated any currently logged on accounts (including service accounts). Note that Petya only compromised accounts that were logged on with an active session (e.g. credentials loaded into LSASS memory).
Execute – Petya would then reboot and start the encryption process. While the screen text claimed to be ransomware, this attack was clearly intended to wipe data as there was no technical provision in the malware to generate individual keys and register them with a central service (standard ransomware procedures to enable recovery).
Although it is unclear if Petya was intended to have as widespread an impact as it ended up having, it is likely that this attack was built by an advanced group.