Ransomware: Threatens to Publish a Victim’s Data in Exchange for a Handsome Ransom

So in this video, we’re going to talk about NotPetya. NotPetya was ransomware that came out in about 2017. And it was considered to be the most devastating cyber attack in history to date. Like I said, it came out in 2017. And it targeted Ukraine, United States, Russia, France, Germany, Italy, United Kingdom. And it probably targeted most countries in the world. It was just that these ones were the ones that had the highest numbers. The malware was a variation of previously seen malware known as Petya. And the reason why this one was called NotPetya is because it functioned similarly, but just slightly different. But also, Petya was ransomware. And like we talked about, ransomware is when your files get encrypted.

And then later, you get an alert that says, to decrypt your files, you must send this much money to this location. With NotPetya, there was no option for decryption. It just encrypted your files and essentially bricked your system or your device, made it unusable, unless you had good backups. And so for this reason, it’s considered NotPetya. It’s actually kind of considered not ransomware, right? Because there was no ransom. It was destructiveware. But in my opinion, it’s the most effective and biggest incident of this kind of attack that we’ve seen, so I think this was a good one to talk about. The way it worked is it used what we believe to be an NSA-developed exploit called EternalBlue.

And it would use, EternalBlue would target SMB, which is a Windows protocol, SMB version 1. And it would exploit it and allow an attacker to get admin rights on the exploited system. Once it was on the system, it would use another tool. This is an open source tool called Mimikatz. And Mimikatz would dump unencrypted credentials from memory. And then EternalBlue would take those new credentials, and it would use them to pivot throughout the network. So all you had to have for this to become a problem for your network was one system that was accessible and vulnerable. Once that system was exploited, the malware could start to pivot through the internal network.

Because it would use those credentials gained from Mimikatz to do that. And it was believed to have caused, and this is why it’s called or one of the reasons why it’s considered to be, the most devastating cyberattack in history, is because it was believed to have caused over $10 billion in US damages, or US dollars in damages. Wired put out an article a couple of years back that talked about this. And they mentioned the shipping company Maersk. And Maersk is responsible for a pretty significant percentage of global logistics and supply lines. And basically overnight, Maersk was completely knocked offline.

They had gone green, so they didn’t have a paper trail footprint of their customers, and their shipping and receiving, and things like that. And so when this hit and bricked the majority of their networks, they didn’t have a way to get supplies where they needed to go. So the starts to have a ripple effect, right? This means that hospitals can’t get the medicine that they need, whatever the cases are. And that then starts to fall over into that physical world again. We saw this, this is similar to what we were talking about with Stuxnet, where you’re spinning up centrifuges, making them unstable, and potentially causing some sort of devastating impact from that.

In this case, it is we’ve denied a large portion of the global supply chain. In addition to that, we’ve also directly targeted hospitals and police infrastructure, things, the government infrastructure. And anything that fell victim to this was taken offline. So you started having impacts on wait times at hospitals. People couldn’t get the medicine that they needed. Gas and supplies like that started not being able to get out. So it had just this huge rippling effect. And it was actually such a big ripple effect that $10 billion is really a big estimate. But we’re not quite sure what the total cost globally probably is considering all those ripple impacts.

So what I want to do now is, again, instead of just going and grabbing the hash for this and throwing it into VirusTotal, we’re going to go to a search engine called Shodan. And what Shodan does is it indexes internet-connected devices with the information that it can fingerprint about them. So it’ll run a port scan, or does some quick banner grabbing. And it’ll say, “OK, we have this Cisco system online. It’s at this IP. That IP comes from this region of the world. It’s hosted by this company”, things like that. What we’re going to do is we’re going to look for publicly accessible systems that still have SMB version 1 running and open to the internet.

And what this would mean, if we find any, is that those systems are potentially still vulnerable to EternalBlue. And so they’re still vulnerable, potentially, to something like NotPetya. So let’s go ahead and take a look at that. OK, so this is Shodan. This is what it would look like. This is what it looks like, actually, after we’ve done our search. If you were to just come to the Shodan website, you’d have a regular landing page. Then you could put your search in there. Shodan is really often used for finding devices that still have default credentials that are on the internet. This is often webcams and the default credentials for those webcams.

So you can see the kind of issues that can result from something like that. But anyways, what we’re doing in this scenario is we are looking for SMB version 1 and systems that are still connected to the internet that are running this vulnerable, or potentially, running this vulnerable, service. So what we do up here is, you can see in our search bar, we’ve got, we’re going to look for port 445. That’s the port that SMB runs over. And then we are going to look for this kind of banner statement inside of our grab there. That’ll filter it out. And it’ll drop this here, and we’ll see the results.

And as you can see, when we run that, we have over 947,000 machines on the internet globally that Shodan detects that are still running with SMB version 1. It’ll give you a breakdown of the countries that it sees these systems in, the organizations that it can affiliate with these systems. And these could be, you see Amazon here. So maybe they’re Amazon EC2 instances, they’re virtual appliances, or something like that, the operating systems that it sees them running with, the various top products. So these are like the web servers that are running with it, or whatever the case is, or Samba, sorry, not web servers.

And over here on the right side of the screen, it breaks it down into actual one by one. So if we just click on the top one here, you see it gives us the IP that it sees. It says it’s Windows 7 Professional with the service pack, the country location. This is, when it does the banner grab, this is the information it gets back. And if we go ahead and we click on this box, it’ll show us where it’s at– and where is this, Portugal– that it sees it, and all the information it has about it.

So if this is all accurate, this would mean that we have almost a million devices on the internet still there are vulnerable to something like NotPetya. Now this number may not be true, may not be 100% accurate. Things may have changed. But there’s probably still a decent chance that it’s mostly accurate. So even if it was 20% off, that’s still a lot of machines that would be vulnerable to this on the internet. OK, in the next section, we’re going to talk about adware, the unclosable ad traps. And I think this is something we’ve all seen. So that’s going to be in the next video.