Pnyetya: Yet Another Ransomware Outbreak

Today saw a massive outbreak of not-really ransomware that has caused significant damage to both Ukrainian targets and strategic global logistics companies. The worm uses three different infection vectors:

ETERNALBLUE
Harvested password hashes
psexec
The code is well written, obfuscated to protect against AV detection using at least two techniques:

Fake Microsoft signature (apparently fools some AV)
XOR encrypted shellcode payload (to bypass signature checks)
Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)


WannaCry - Links to Lazarus Group

Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.

The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.

If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.

This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos.

In the meantime, a third kill switch appeared in the wild ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:

A Global provocation message to the Law Enforcement & Security researcher community to be translated as “Keep Trying”.
Enforce the theory that the last iteration of WannaCry is a destructive operation to create political mayhem.


How Soon Until the Next Ransomware Disaster?

A little over a week ago, a Cumbrian woman named Joyce broke her foot. What happened next to Joyce’s foot involves the National Security Agency, decades of deferred maintenance on broken software, a hacking group that communicates exclusively in broken English, and an unsophisticated piece of ransomware, all interacting with the global network that almost everyone depends on now.

The success of the WannaCry ransomware that tore through Eurasia over the weekend required a chain of failures. Stopping any one of these failures could have stopped the crisis, and could still stop some of the crises that might otherwise occur. This makes a difference the in lives of normal people who have nothing to do with any of these global players in the computer security game, and it frustrates them.

Before she left, she was given another appointment for Friday, May 12. It turned out to be the day the NHS fell victim to the largest ransomware attack in history.

“Embarrassing that my home PC [is] vastly better tech than the vastly more important health service,” Leslie, a retired electrician in South Cumbria, tweeted on Sunday.