Maersk - The Ransomware Survivors

okay so hi everyone thank you for joining us today in our presentation it's an honor for me to be here mainly for two reasons I was a student obviously of this University and also this is the first time speaking in a conference so I would like to personally thank Aryan and dardan for uh and the whole besides theme for giving me the opportunity to present here in front of you today we are discussing about a very delicate subject which is the uh attack which struck Maersk uh in 2017. this is me I am currently working as a devops engineer at Buckaroo payments I recently joined them it's been like three weeks uh I'm passionate about cyber security obviously because I'm presenting here today and I I'm a local Ambassador for crowd Tech they were part of b-sides last year they couldn't make it this year but uh they are basically uh an open source uh company which offers IPS IDs firewall and many integration with different software for for uh the protection of your servers and so uh I do love working with AWS I do that daily but as many people don't I don't like Azure I want to point that out and I also enjoy making memes so you're going to see a couple of them during the presentation so let's get to it today we're talking about ransomware we're going to have like a brief introduction of what ransomware is many of you are familiar with it but anyway we're going to give like a short description uh just to see what of what type of malware it is uh how does it work and so on and uh we're also going to specifically talk about a very special type of ransomware which is not petia which is uh what attacked Mars in this case also we're going to talk about Maersk itself uh just to see uh what type of company it is and why is it so important to mention them in this case and then we're going to talk about the day where when Maersk meets not petia which was very unfortunate and also uh we're going to see at the we're going to stop at the aftermath of the attack just to see what the casualties were and how everything unfolded it and ultimately what's important we're going to look at the lessons we've learned from this attack so what is a ransomware uh Kaspersky defines it as an extortion software that can lock your computer and then demand a ransom for its release so basically what happens a ransomware is a form of malware which basically encrypts your data and then says I want some money in exchange of that if you want like the key to decrypt it and yeah basically that's how it works usually the encryption algorithm algorithms that are used are unable to be decrypted without having the the key and this is why it makes almost you know impossible to decrypt without without having uh the private key in this case it also spreads spreads rapidly on the network which is also what happened with not petia and usually the payments uh are required to be done in crypto because you know of all the reasons we already know it's untraceable it's easier to to make those payments and so on and so forth so forth so what does it actually look like to be attacked by a ransomware I really want to emphasize this I really hope none of you sees this screen we're going to present next because it's already too late for you this is the screen that is usually presented to the persons that uh have been attacked by a ransomware so basically it gives a description of what has already happened it says that your hard disk of your computer has been encrypted military grade encryption algorithm we're gonna see on the next slide how that works it says that there is no way to restore your data without a special key which is a private key on asymmetric encryption and it says that to purchase your key it usually instructs you to use a tour browser or as we know the onion routing protocol and uh you need a tour browser to actually access uh the links that they usually provide as you've seen uh and also you need to like enter your personal decryption and then they will send the key back what happens most of the times is that even if the company of the person sends a payment they will be like yeah you paid this but you need to make an additional payment and so on and so forth so it's usually not recommended to send payments if this happens unfortunately uh if you don't have a backup it's non-recoverable but if you have a backup in place you can just simply restore that backup and have your files back so how does it work basically the victim uh acquires around somewhere from email an exploit warm whatever type of source and then the rest somewhere contacts the attackers uh control and command server so what happens is a public key is used to encrypt the data on your machine and a private key is stored on the command and control server so it means without that private key it's impossible to decrypt your data data is encrypted and a ransom note which in this case is this one is presented to the victim and then after the ransom is paid the attacker sends private key to decrypt the data but please be aware that that is not always uh the case sometimes even if the payment is made as we mentioned uh probably you will not get your data back we are going to focus on a special type if we can call that ransomware and I'm going to elaborate more on that shortly it was first detected in 2017 and it was primarily spread through medoc now what is medoc it's an accounting software which is based in Ukraine and the Damage that not patio cost to uh companies all around the world is estimated to be around 10 billion 10 billion dollars it's a variation of petia which is where the name originates so petia is basically a ransomware which originated before not petya so this is like a variation of that ransomware and we are going to see the differences that it has uh in comparison with Petra it used to ex it used two exploits which are very uh popular uh one of them is eternal blue and it used a special tool which is called mini Cuts we are going to see what these two do shortly and ultimately it was labeled as a cyber weapon and this is for the reason because it is believed that this was created by Russian hackers and the main reason it was created it was to attack uh companies organization Banks and everything that were located in Ukraine so unfortunately for Maersk uh it was just collateral damage because Maersk was never the target so what happened is that uh the Cyber weapon was created because of the geopolitical uh war that was happening between Russia and Ukraine and basically uh in this case Maersk was uh attacked by uh not petia but it wasn't the main target so how does notepadia uh actually go into uh different machines or organizations uh the first variation is that it goes through the medoc update server so this means that not petya was uh coupled together with me Doc and as soon as you would get an update so in this case it means that it used me Doc as a backdoor to actually go into the infrastructure this is what happened with Maersk and uh uh the other way of actually going into the systems is using is using fishing males for example if you have like an infected document and also uh for example if one of your machines uh on the local network let's say is uh is infected it can also spread through the internal Network and ultimately this is what is called lateral movement uh Swiss army knife which means it's a compilation of tools multiple tools which is also what a Swiss army knife is and for example uh it uses let's say for example Eternal blue anemical just like we mentioned earlier it uses that to spread rapidly across the network which is what happened in this case so the most striking feature of the notepad around somewhere is that it is not a ransomware I'm sorry to disappoint you I know that the name of the presentation is uh not Patty ransomware but it is not a ransomware the developers had no intention of ever delivering a decryption key this means that uh the main focus of this attack was to destroy data and uh this is why it made the data non-recoverable for example uh if you take a comparison between this and let's say the wannacry ransomware which happened months before the notepadia The Internship the intention of Wanna Cry was to actually encrypt your data get your money get your data back this was not the intention of not bad yeah it was purely data wiping and destruction let's talk about mursk which is the victim in this case it has its headquarters in Copenhagen uh so that is where the attack initially happened and then it spread uh across the global infrastructure that Mars uh has in place it is the world's largest shipping company uh because it it estimated that they transport around 12 million containers every every years and in 2022 they had a uh revenue of 81.5 billion dollars and the reason for this is because of the you know containers prices going up and up but yeah basically you can just see how big of a company it is so it has 574 offices in 130 countries all of them were infected in this case even the backups that they had even the offline backups everything was infected when the uh not petia ransomware struck let's unfold the attack it happened on June 27 2017. at four o'clock in the morning ransomware attack on Ukrainian Banks power companies and as you can see a pattern here Ukrainian that's mainly because uh let's say the entry point of uh not petia was medoc so whoever you was using me dog and uh got the update from uh their server they were actually getting notepadia into their systems together with that update at 11 30 Ukraine Central Bank confirms attack on ID systems same attack with not Patia at 121 Mars publicly confirms that the it systems are down at 612 Kaspersky says that not patio wiper we have to focus on this because as I mentioned the main focus was to wipe and Destroy data and it has already affected around 2000 organizations at 7 46 Ukraine police confirms me dog is infected by not petya but uh they said that it's not our fault in this case because it was initially thought that they were actually conducting the attack but that was not the case they were just infected uh the source of this information it's uh from Charlie ponnell which had a case study on the uh mersk not tattoo attack yeah that started uh this might seem like a joke but it is not this is what actually happened the way they describe it if you were looking on the hall all the computers was just like going black black black and there is like a strong reason for that this is not patia's recipe for catastrophe if we can call this that way initially as we mentioned medoc was infected so the malware itself came from a trusted Source nobody would think that if you just update your accounting software in this case mersk was using medoc for tax returns in the UK sorry in the Ukraine country so the source for them in this case it was trusted they had no idea that they could be infected from their accounting software the second one is encrypting mft which is the master file table we're also going to take a look at that uh it takes very uh it takes less time to actually increase encrypt the mft in comparison to actually encrypting all the files on the systems we're going to stop at that uh on the next slide rapid propagation was also a feature because it is it is said that it only took uh several minutes to a couple of hours for the whole Global infrastructure of Mars to go down they also had this fatal combination of different tools and exploits to actually achieve this which we are going to see how they actually did that so the back door the software used by the finance teams for tax returns as I mentioned it was compromised by not petia in this case automatic updates were enabled which if you look at it it's not something really strange because we also have automatic updates enabled in our different apps and we would never think that the ransomware would actually originate from that in June the virus was pulled inside the ID infrastructure and is propagated inside the network I'm going to get back on the slide and just reason just just elaborate on one thing this command and control server which we earlier mentioned for example if you want to cry around somewhere this connection between the uh machine that was attacked and the command and control server never actually happened so the encryption key that was used by notepadia it was sent to an email but that email was blocked by the machine so it never reached the attacker's machine which renders the files unusable and also the operating system in this case encrypting mft I'm going to take on a practical example for this let's say you want to go into building and you're looking for a specific compartment instead of let's say encrypting all the names of the apartments on the doors you simply remove the map which is at the entrance of the building this is what happened with mft instead of going and encrypting all the files one by one what they did is they encrypted mft which is the master file table inside NTFS which is the file system used by windows in this case this rendered the whole operating system unusable what this means is that this is a table that includes information about where your files are so this for example let's say for a 500 gigabytes a hard disk this is merely uh some some megabytes so it encrypted so fast and this is the main reason why it was propagated so so fast across across the the machines to do this they used a special tool which is used mft to CSV so basically they just encrypted the mft master table and the whole operating system was rendered unusable except that they also had a special module integrated which also wiped the data on the machine so rapid propagation was done mainly using Eternal blue which you might have heard of Eternal blue is an exploit which was used by NSA it was used for more than six years they never reported it to Microsoft because they had to you know they wanted to use it for their uh for their uh exploitations so they used Eternal blue uh which in this case used the vulnerability of of the SMB V1 which is a protocol uh used in Windows for uh file and resource sharing on the network so Eternal blue use that vulnerability to spread across the network and what's very interesting is that this attack as we mentioned happened in June 2017 the patch for Eternal blue was uh released a couple of months I think it was March March 2017. so they could have passed this but that does not necessarily mean that this would not happen because they still used extra tools to actually propagate through the network which is for example the PS exec also mini cuts and also a bunch of different tools to actually both encrypt the the data and also spread uh across the network this is how many Cuts looks like it's a tool that is used also uses vulnerability to extract passwords from the memory on devices that are running Windows example of PS exec we run a command on a machine with a simple command with ipconfig and as we can see it returned the IP of the device that we were actually running this on so this is just one of the tools that notepadia had incorporated into their uh malware in this case and uh the combination was just uh fatal for mask in this case the aftermath of the attack uh okay initially they had to work on pen and paper which imagine if you have several hundred offices spread across the world they couldn't even use their phones they couldn't even alert uh their colleagues that this was happening and that is mainly because also their servers that they used for uh telephone Communications were rendered unusable an estimated 49 000 laptops were destroyed the financial cost was around 300 million their backups were infected they had to shut down operations on multiple ports they had several day of inaccessible I.T infrastructure and uh yeah it took them about four weeks to get like a full operational I.T infrastructure and obviously they had to rebuild all the servers and all their PCS and yeah it cost them a lot both financially and it is also important to uh actually emphasize that it was uh it damaged their reputation a lot because uh you know it's a big company spread all around the world so basically uh they had some good communication if we can say so with their clients partners and stakeholders but at the end of the day I mean uh it's not good that this happened to such a big company this was posted on the mercs Maersk I.T systems uh they public publicly accepted uh that their ID systems were down which is quite uh you know unfortunate and uh yeah the lessons we all learned from this attack it was unfortunate for mersk to have this attack but nowadays it serves as a lesson for all the companies institutions uh and also individuals that uh you always have to prepare for the unpredictable which in this case was also uh the case with mercs because as we mentioned the actual ransomware came from their accounting software first of all companies need to prioritize their security Investments because this is crucial for a normal operation especially since uh the whole management and business continuity of mursk in this case was based on their ID infrastructure they need to add robust backup and Disaster Recovery systems even though they had this in this case unfortunately it couldn't be of help for them it's important to have a comprehensive cyber security plan they did as we mentioned have transparent Communications with their customers and also with uh the stakeholders and their Partners but that didn't really came to help as much and also up-to-date configuration of the systems which is crucial uh one thing that I want to mention is that they could have used sandbox environment to test their uh software because it just even if the ransomware would go inside the systems if you have like a Sandbox environment the virus would just spread there and not like in the whole infrastructure which in this case happened with mersk and uh ultimately we can close with a quote most experience with not petia serves as a stork reminder of the need for robust cyber security measures in today's interconnected world thank you for joining this presentation [Applause] if any of you has any questions I would be happy to answer them yep so thank you very much for the presentation um to be honest I remember when the Eternal blue exploits got clicked by Shadow Brokers and was a really challenging time for everyone I was just curious I'm not sure if you like where let's say investigated something similar because some of the attacks actually affected Albanian uh like uh institutions and not many like and also I probably console as well because they were not bounded by boundaries and if I remember correctly if you actually didn't restart the computer the mft would be fine so if you've shut down the computer and didn't start up uh if you didn't just restart it automatically the MFD encryption was only happening on Startup so it was like a way to actually avoid the entire problem happening but it was too late because everything was done so I'm not sure did you encounter that in real life or uh was just yeah good question because I was also asking myself uh this very question but the thing is uh I also mentioned that uh except having the MST encrypted they included this module which actually wiped all the data so it wasn't just the MFE so they had like a second thinking plan which even if they don't restore the computer this module that was incorporated inside the uh notepad around somewhere actually made it possible for all the files to be uh wiped out even if you for example would not restart your computer which happened in this case because you know the the whole file system was destroyed by the second module that not petia uh used but what you're saying is correct but they also had this second thing implant which uh they wanted to make this uh you know as successful as possible in this case yeah I'm just curious