Ransomware is usually developed to enrich the bank accounts of people behind it – nothing more, nothing less. But the attack that was carried out on Tuesday, June 27th seems to have had other goals. No less than 2,000 individuals and organisations all over the world have been affected by it and, according to security researchers, this attack was mainly designed with a purpose of damaging IT systems – extorting funds played second fiddle to it. The attack began in Ukraine and then spread to Russia, Western Europe and the US via a hacked accountancy software developer MeDoc.
The threat still gave a message saying that $300 USD (or £230) has to be paid out in Bitcoins to return the files and settings to normal, but its intrusion methods were far more sophisticated than its simplistic payment infrastructure which, again, seems to only have been included to make it look like just another virus. Quoting the security researcher the grugq, this ransomware was “definitely not designed to make money” but “to spread fast and cause damage, [using the] plausibly deniable cover of ransomware”. UC Berkley academic Nicholas Weaver agrees with that assessment: “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”
The threat is called NotPetya due to it being similar to Petya, but it should be noted that they’re not entirely identical. They share the code, but, according to Kaspersky Lab, NotPetya is “a new ransomware that has not been seen before”. The payment address seems to be hardcoded into it and this address, along with a 60-character, case-sensitive “personal installation key” can be found in the text contained within the ransom note. An email confirming the payment must be sent to an address belonging to the German email provider Posteo. To their credit, Posteo terminated the account, but it also means that all of the people who had made a payment won’t be able to receive the decryption key in return. The grugq also notes that “If this well-engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’)”, but its infection methods are “well-written” and employ an array of different techniques that allows to inflict the greatest amount of damage possible to the targeted network.
NotPetya employs the hacking tool EternalBlue developed by the NSA to break inside the computers that use Windows and have breaches in their security system. The virus first tries to gain administrator access over the entire network by stealing passwords and then the real work begins – all of the PCs on the network get the update which is actually NotPetya in disguise and all of their hard drives are then encrypted. Associations with WannaCry may come to mind here, but this threat doesn’t contain the code that makes it disappear from the network once the infection has been completed.
Unlike other typical ransomware, NotPetya/Petya virus does not encrypt files on a targeted system one by one. Instead, Petya virus reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. After that, Petya virus replaces an encrypted copy of MBR with its own malicious code that displays a ransom note, leaving computers unable to start.
In fact, this new variant of Petya virus does not keep a copy of replaced master boot records, leaving infected computers locked even if victims pay a Bitcoin ransom demand and get the decryption keys.
Also, after infecting one machine, the Petya malware scans the local network and quickly infects all other computers (even fully-patched) on the same network.
According to Kaspersky Lab, 60% of the infections are within Ukraine. As we’ve mentioned above, the attack was carried out through the accounting software developed by MeDoc, and this software was also used by the Danish shipping company Maersk, which fell victim to the ransomware as well. Ukraine insinuates that Russia was responsible for the attack, but it should be noted that Russian firms have also suffered, including Rosneft – an oil company that’s considered to be one of the leading corporations in Russia. There’s no concrete evidence at the moment, so all of the accusations are based on assumptions and judgement.
The further analysis showed that this virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the infected systems.
Security experts even believe the real attack has been disguised to divert attention from a state-sponsored attack on Ukraine to a malware outbreak.
“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” said Comae Technologies expert Matt Suiche.