NotPetya ransomware hits hospitals, while Shadow Brokers touts its July VIP service

Ukraine was reportedly the intended target of the Petya ransomware attack, which is actually NotPetya but was likely created by the same developer of Petya. It’s been suggested that NotPetya started after update servers for M.E.Doc accounting software used by Ukrainian companies were compromised.

M.E.Doc issued a security warning, but the company later denied its tainted servers delivered the ransomware. Yet as it spread across the globe, other infected victims were a “side effect” of “cyberwar.”

At least three hospitals in the U.S. were affected: Princeton Community Hospital in West Virginia and Heritage Valley Health System, which includes two hospitals—Heritage Valley Beaver and Heritage Valley Sewickley—60 doctor offices and 18 community satellite facilities. After Heritage was infected, some surgeries were canceled and patients reportedly had to reschedule.

It’s been pointed out that the NotPetya attack occurred a day before a non-working holiday in the Ukraine and on the same day that a top Ukrainian military intelligence officer was assassinated. While a Washington Post article discusses Russia’s use of hybrid warfare, the intelligence officer was killed by a car bomb. Nevertheless, the Post talks about Ukraine needing to up its defense game against Russia. It writes, “We should all be invested in this, because while Ukraine may be the testing ground, the target is all of us.”

Microsoft patches would have prevented attacks

People unwilling or unable to apply Microsoft’s patches, which would have kept their boxes safe, should try the vaccine as described by Bleeping Computer. It is pointless to try to notify the ransomware’s author because the German email provider Posteo shut down the email address wowsmith123456@posteo.net; it was the contact address in the ransom demand.

Even if victims were willing to pay and sent $300 in Bitcoins to the author’s wallet, they were instructed to send their Bitcoin wallet ID and ransomware installation key to the author at the now-not-working email address. At the time of publishing, the wallet showed 45 transactions.

NotPetya is like Petya with worm capabilities, according to Microsoft. It watched the infections unfold, first hitting over 12,500 Windows boxes in Ukraine before spreading to 64 other countries.

“Given this new ransomware’s added lateral movement capabilities, it only takes a single infected machine to affect a network,” the company said.

Microsoft added that the ransomware uses multiple methods to spread:

• Stealing credentials or re-using existing active sessions
• Using file-shares to transfer the malicious file across machines on the same network
• Using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

NotPetya uses NSA-linked EternalBlue and EternalRomance, which were released by the Shadow Brokers; Microsoft released patches for both back in March. It’s nearly July, so if you think no one will know you didn’t deploy patches in a timely fashion, then get infected and think again.

Yet clearly some people did not deploy the fixes, perhaps because a kill switch was so quickly found for WannaCry. Some organizations haven’t patched because they can’t afford the downtime, but surely mitigating the problem would cause less downtime than being a ransomware victim?

Shadow Brokers’ July dump of the month and VIP service

Speaking of EternalBlue and the Shadow Brokers, did the group ever follow through with the June data dump promised to subscribers? The Shadow Brokers claimed it was a big success, but security architect Kevin Beaumont noted that he’d seen no evidence that the dump happened.

Nevertheless, the Shadow Brokers are back and pimping their July dump of the month service. Although the group mentioned the global cyber attack, Beaumont said it had nothing to do with NotPetya and called the group’s implying otherwise “a sales pitch of nonsense.”

It’s worth noting that the Shadow Brokers targeted one specific individual in its July dump of the month subscription pitch. Apparently, this “doctor” who hammered them via Twitter really got under the group’s skin. It started digging into who the “doctor” really is, claimed he is a former NSA-linked Equation Group developer, and threatened to dox him if he kept trolling.

The doctor, it seems, is @drwolfff. He tweeted:

Apparently @shadowbrokerss threatened me in his new post. 1) don’t feed trolls. 2) I was never equationgroup. 3) let’s meet in vegas

— ⚠️ (@drwolfff) June 28, 2017

This month, the Shadow Brokers announced a VIP service in addition to the dump of the month club. 400 ZEC will allegedly get the group’s attention enough to spill what it knows about specific questions asked, such as about a vulnerability or intel. The July monthly dump would cost subscribers 200 ZEC or 1000 XMR.

The group said it would include a “mystery gift” as some people sent a small payment with a hidden service URL. The Shadow Brokers won’t bite at the bait, but it is offering it to others. About this “mystery gift,” the group claimed, “Smelling hidden service FBI hackish.”