Full Report
According to our telemetry, we see evidence that many industrial companies are being attacked by ExPetr (Petya) malware. While there were examples of actual industrial control systems being affected, in most cases it was only the business networks were affected. According to our data, at least 50% of the companies being attacked are manufacturing and oil & gas enterprises.
Analysis Summary
# Incident Report: ExPetr (NotPetya) Wiper Attack on Industrial Sectors
## Executive Summary
In June 2017, a destructive malware campaign dubbed "ExPetr" (commonly known as NotPetya) targeted organizations globally, with over 50% of victims occurring in the industrial, manufacturing, and oil & gas sectors. Although disguised as ransomware, the malware functioned as a wiper, permanently destroying data by overwriting the Master Boot Record (MBR) and using encryption for which no decryption key can be retrieved. The attack primarily crippled business networks, though some industrial control system (ICS) environments were also affected.
## Incident Details
- **Discovery Date:** June 27, 2017
- **Incident Date:** June 27, 2017 – June 28, 2017
- **Affected Organization:** Multiple; prominent focus on Ukrainian organizations (including M.E.Doc users)
- **Sector:** Industrial, Manufacturing, Oil & Gas (50%+ of victims)
- **Geography:** Global (Primary concentration in Ukraine and Russia; extensions into U.S., Europe, and Asia)
## Timeline of Events
### Initial Access
- **Date/Time:** June 27, 2017
- **Vector:** Supply Chain Compromise, Phishing, and Watering Hole attacks.
- **Details:** The primary entry point was a compromised update mechanism for "M.E.Doc," a Ukrainian tax accounting software. Secondary vectors included malicious attachments/links in phishing emails and watering hole attacks on specific websites.
### Lateral Movement
- Once inside a network, the malware propagated automatically using modified versions of the **EternalBlue** and **EternalRomance** exploits (targeting SMB v.1). It also utilized stolen credentials to move via **WMI** (Windows Management Instrumentation) and **PsExec**.
### Data Exfiltration/Impact
- **Impact:** The malware did not exfiltrate data for profit but acted as a **wiper**. It overwrote the Master Boot Record (MBR) and encrypted a wide range of file types (e.g., .doc, .pdf, .cpp, .dbf). Because the encryption routine was flawed/destructive by design, data recovery remained impossible even if the ransom was paid.
### Detection & Response
- **Discovery:** Detected by telemetry as mass infections began in Ukraine and Russia.
- **Response actions taken:** Anti-malware vendors updated signatures (detected as "ExPetr" or "NotPetya"); companies were advised to disable SMB v.1, patch Windows systems (MS17-010), and isolate affected business networks from industrial segments.
## Attack Methodology
- **Initial Access:** Supply chain compromise (M.E.Doc), Phishing, Watering Hole.
- **Persistence:** Overwrites MBR to execute before the OS loads upon reboot.
- **Privilege Escalation:** Use of credential dumping tools to gain administrative rights.
- **Defense Evasion:** Mimics ransomware behavior to mask destructive intent.
- **Credential Access:** Used a built-in tool similar to **Mimikatz** to harvest passwords/hashes from memory.
- **Discovery:** Scanned local networks for open TCP ports 139 and 445.
- **Lateral Movement:** EternalBlue (CVE-2017-0144), EternalRomance, PsExec, and WMI.
- **Collection:** N/A (Destructive focus).
- **Exfiltration:** N/A (Destructive focus).
- **Impact:** Data destruction (Wiping) and system unavailability via MBR corruption and file encryption.
## Impact Assessment
- **Financial:** Extremely high due to global shipping and manufacturing halts (though specific dollar amounts vary by organization).
- **Data Breach:** Permanent loss of business-critical data (No recovery possible).
- **Operational:** Massive disruption to manufacturing and oil/gas operations; business networks were paralyzed.
- **Reputational:** High public profile due to the scale of the "global ransomware" narrative.
## Indicators of Compromise
- **Files:** `C:\Windows\perfc.dat`
- **Network:** Traffic on TCP ports 139 and 445 attempting to exploit SMB vulnerabilities.
- **Behavioral:** Unexpected system reboots followed by a "chkdsk" screen (which is actually the encryption process).
## Response Actions
- **Containment:** Blocked ports 139/445; disabled SMB v.1 across the enterprise.
- **Eradication:** Isolated infected hosts; deployed updated AV signatures (UDS:DangerousObject.Multi.Generic).
- **Recovery:** Restoration from offline backups (as local data was unrecoverable).
## Lessons Learned
- **Supply Chain Vulnerability:** Software update mechanisms of third-party vendors are critical attack vectors.
- **Patch Management:** Failure to apply the MS17-010 patch (released months prior) allowed rapid propagation.
- **Wiper vs. Ransomware:** Not all "ransomware" is financially motivated; some is designed solely for destruction.
## Recommendations
- **Patching:** Ensure all Windows systems are patched against MS17-010.
- **Network Segmentation:** Geographically and functionally segment business networks from Industrial Control Systems (ICS).
- **Hardening:** Disable SMB v.1; restrict the use of PsExec and WMI where not operationally required.
- **Backups:** Maintain verified, offline backups of all business-critical information.
- **Software Integrity:** Monitor and validate third-party software updates before deployment in sensitive environments.