The ransomware that never was

Ransomware message from Petya/notPetya malware

Last Tuesday, a malware, initially suspected to be the Petya ransowmare, spread across thousands of computers, mostly in Ukraine. At first, the episode was thought to be the sequel to the WannaCry ransomware outbreak that infected hundreds of thousands of computers across the world in May.

But as the story unfolded and the details emerged, it became evident that this attack was something more, perhaps a cyberattack of political nature hidden behind the guise of a ransomware. The malware eventually acquired other names, including NotPetya, PetyaWrap and ExPetr.

Here’s what we know—so far—about the NotPetya “ransomware” attack that has been making the headlines of late.

What is ransomware?

In a nutshell, ransomware is a kind of malware that encrypts your files and locks you out. There’s no way to decrypt the files until you pay a ransom to obtain the decryption keys. Ransomware attackers usually use different kinds of techniques such as phishing scams or vulnerability exploits to spread the malware.

Attackers demand the payment to be made in Bitcoin or some other type of cryptocurrency, because of the added level of anonymity. In 2016, cybercriminals collected about $1 billion dollars in ransomware attacks.

The NotPetya ransomware was initially called Petya because it used a large part of the source code used in the real Petya, a ransomware that first surfaced in 2016

NotPetya’s spreading mechanism was brilliant

The success of ransomware attacks often relies on infecting as many computers as possible. In this regard, the NotPetya was masterfully crafted. Petya’s spreading mechanism used EternalBlue and EternalRomance, two vulnerabilities in the Windows operating system to spread across local networks exposed by the Shadow Brokers hacking group in the biggest NSA cyberweapons leak in history.

WannaCry also used the EternalBlue exploit to spread across networks.

To be fair, Microsoft patched both vulnerabilities in a huge security update in March, but naturally, a lot of organizations have not bothered installing it.

NotPetya also added a number of sophisticated mechanisms to propagate onto patched computers, including the use of administrative network privileges. This meant that a single unpatched computer could infect an entire network.

The cybercriminals also hacked the website MEDoc, a Ukrainian accounting software company, to distribute their virus by pushing infected updates to the computers of its clients. This is a company that offers services to a lot of government agencies and companies in Ukraine.

From a ransomware perspective, this is a smart move. The highest paying ransomware victims are those that absolutely can’t carry out their day-to-day business without their data. That’s why hospitals, for instance, have become a favorite target for ransomware attackers. MEDoc actually provided the NotPetya attackers with the perfect beachhead to reach targets of high value—but for a totally different purpose, as it later turned out.

But its payment system was not

While the developers of NotPetya had gone through a lot of pain to make sure their malware spread across computers, they had done a sloppy job at making sure they were compensated for their efforts.

This was a the first suspicious sign that the NotPetya attack manifested, because ransomware attackers usually take great care to make sure their business meets the least hurdles. For instance, ransomware attacks usually assign unique bitcoin addresses and IDs to each infected computer in order to automate the payment process.

But NotPetya’s payment process was fully manual. It displayed the same Bitcoin address to all the victims, and also presented an email address in the ransomware message, to which users had to send their user ID and proof of payment in order to receive the decryption keys. This is not the wisest way to handle payments when you expect to hit tens—and potentially hundreds—of thousands of computers.

Furthermore, the provider of the email account unsurprisingly shut it down shortly after NotPetya broke out, which means victims no longer have any means to receive their decryption keys even if they paid.

Predictably, the ransomware didn’t do very well financially. According to a Twitter bot that tracks payments to the single Bitcoin address associated with NotPetya, no more than $10,000 in bitcoin has been paid so far.

The entire situation begged the question: Why would you spread ransomware if you don’t want to make money?

NotPetya is actually not a ransomware

When experts dug deeper into Petya, it became evident that its resemblance to the Petya ransomware (or any other ransomware for that matter) was only skin deep. Behind that facade was a wiper, a malware that is not meant to make money but to cause mayhem and destruction, something like th Shamoon virus that caused a stir in Saudi Arabia last year.

In the original Petya ransomware, the ID generated for each infected computer contains crucial information for key recovery. However, analysts at Kaspersky labs discovered that the NotPetya malware (which they dubbed ExPetr) generates a totally random string that is unrelated to the decryption key. This means that even if victims pay up to the attacker and provide their ID, the attacker will have no way to provide them with the decryption key.

An expert from Comae Technologies found out that NotPetya actually irreversibly overwrites some of the sectors of hard disk, a behavior that is attributed to wiper malware.

This further explains why the attackers had not done much to ensure payment upon infection.

Who was behind the attack?

It’s still not clear who was behind the attack, and to be fair, we may never find out because attribution is very hard where cyberattack are concerned. Hackers often hide their tracks behind code base and techniques that belong to other hacking groups, or use IP addresses and servers that will put investigators off from their real location.

In this specific case, the fingers are tentatively pointed at Russia, the state that is suspected of a cyberwarfare campaign against Ukraine that goes back to more than two years ago, including two separate hacks of the Ukrainian power grid. Backing this argument is the fact that the malware’s spreading mechanism had tried to keep the infection within local network boundaries, possibly in order to limit the reach to Ukraine.

An expert who spoke to New York Times said the domain that the attack was staged from was registered from an IP address and telephone number in Iran, but also pointed out that this could perfectly be someone else trying to mask themselves as originating from Iran.

Discoveries made by cybersecurity firm F-Secure indicated the NotPetya attackers might have obtained the NSA exploits before the Shadow Brokers leak, opening up the possibilities that they might have been a customer of Shadow Brokers, or maybe the group itself.

As one expert put it, the ransomware ruse was only used to revoke memories of the WannaCry outbreak and lure the media away from the real attack until the damage was done.

The NotPetya outbreak is a reflection of the increasingly sophisticated cyberwar landscape that is becoming ingrained into politics, economics and other aspects of modern society.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.