The Government was dead.
Volodymyr Omelyan, Ukranian minister of Infrastructure.
Tales from the SOC side Vol.3
The NotPetya story continues...
Dark tales from the SOC Vol.3
The "NotPetya" Edition, Part 2.
As the early morning dawns and our analysts slowly emerge from a night of dark, scary surveillance and remediation, we return to the story of the most destructive Ransomware to date, the NotPetya Ransomware worm.
The continued excerpt was taken from the book "Sandworm", which was written by a fellow dungeon keeper and a WIRED senior writer, Andy Greenberg.
In part 1 of the NotPetya story, we introduced you to how NotPetya began to spread and how Ukraine was targeted.
The continued story of NotPetya isn’t only about Maersk, or even about Ukraine. It’s the story of a nation-state’s weapon of war released in a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes everywhere at once.
Oleksii Yasinsky expected a calm Tuesday at the office. It was the day before Ukraine’s Constitution Day, a national holiday, and most of his coworkers were either planning their vacations or already taking them. But not Yasinsky. For the past year, he’d been the head of the cyber lab at Information Systems Security Partners (ISSP), a company that was quickly becoming the go-to firm for victims of Ukraine’s cyberwar. That job description didn’t lend itself to downtime. Since the first blows of Russia’s cyber attacks hit in late 2015, in fact, he’d allowed himself a grand total of one week off.
So Yasinsky was unperturbed when he received a call that morning from ISSP’s director telling him that Oschadbank, the second-largest bank in Ukraine, was under attack. The bank had told ISSP that it was facing a ransomware infection, an increasingly common crisis for companies around the world targeted by profit-focused cybercriminals. But when Yasinsky walked into Oschadbank’s IT department at its central Kiev office half an hour later, he could tell this was something new. “The staff were lost, confused, in a state of shock,” Yasinsky says. Around 90 percent of the bank’s thousands of computers were locked, showing NotPetya’s “repairing disk” messages and ransom screens.
After a quick examination of the bank’s surviving logs, Yasinsky could see that the attack was an automated worm that had somehow obtained an administrator’s credentials and that had allowed it to rampage through the bank’s network like a prison inmate who has stolen the warden’s keys.
As he analyzed the bank’s breach back in ISSP’s office, Yasinsky started receiving calls and messages from people around Ukraine, telling him of similar instances in other companies and government agencies. One told him that another victim had attempted to pay the ransom. As Yasinsky suspected, the payment had no effect. This was no ordinary ransomware. “There was no silver bullet for this, no antidote,” he says.
ISSP’s security operations centre, which monitored the networks of clients in real time, warned that NotPetya was saturating victims’ systems with terrifying speed. It took 45 seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub, where ISSP had installed its equipment as a demonstration, was fully infected in 16 seconds. Ukrenergo, the energy company whose network ISSP had been helping to rebuild after the 2016 blackout cyberattack, had also been struck yet again.
On a national scale, NotPetya was eating Ukraine’s computers alive. It would hit at least four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency. “The government was dead,” summarizes Ukrainian minister of infrastructure Volodymyr Omelyan. According to ISSP, at least 300 companies were hit, and one senior Ukrainian government official estimated that 10 percent of all computers in the country were wiped. The attack even shut down the computers used by scientists at the Chernobyl cleanup site, 60 miles north of Kiev. “It was a massive bombing of all our systems,” Omelyan says. Across the country, Ukrainians were asking themselves whether they had enough money for groceries and gas to last through the blitz, whether they would receive their paychecks and pensions, whether their prescriptions would be filled. By that night, as the outside world was still debating whether NotPetya was criminal ransomware or a weapon of state-sponsored cyberwar, ISSP’s staff had already started referring to it as a new kind of phenomenon: a “massive, coordinated cyber invasion.”
Merck (Pharmaceutical)
$870,000,000
Saint-Gobain (Construction)
$300,000,000
Reckitt Benckiser (Manufacturer)
$129,000,000