Petya Ransomware Campaign May Have Been Neither Of Those Things

When is ransomware not ransomware? That philosophical question has been raised by what some are calling NotPetya, which was previously thought to have been a ransomware campaign in the vein of WannaCry. New research has suggested, however, that NotPetya is NotThatSimple.

Our stumble down this rabbit hole started when Bitdefender reported that a new member of the GoldenEye ransomware family was spreading around the world. The company said that this ransomware encrypted individual files and NTFS libraries while also forcing affected devices to reboot. This left victims with only one option--pay the $300 worth in Bitcoin demanded by the ransomware's operators. Microsoft later said that devices in over 64 countries were affected by June 27--more than 12,500 of which were in the Ukraine, where the campaign was first detected.

Questions about the "ransom" part of this "ransomware campaign" arose soon after. It turned out the NotPetya operators used a public email address provided by Posteo for their ransom demands. Posteo shut down the email account, which meant the operators could no longer receive emails from their victims or provide decryption keys in return, effectively making it so affected devices would stay compromised. That was especially damaging because the victims include hospitals, radiation monitoring systems, and other critical infrastructure around the world.

Pseudonymous infosec researcher "the grugq" questioned this aspect of the "ransomware campaign" in a June 27 blog post:

Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of 'send a personal cheque to: Petya Payments, PO Box …')

The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'

Evidence of that duplicity arose on June 28, when Kaspersky Labs revealed that "the threat actor cannot decrypt victims’ disk, even if a payment was made." This was true even before Posteo shut down the operators' email account--Kaspersky said the attackers simply had no way of retrieving critical information required to give victims a functioning decryption key. (This is one of the reasons why you're advised not to pay up if you fall victim to ransomware.) The operators weren't holding computers for ransom so much as they were rubbing salt in an open wound.

Here's what Kaspersky said about the implications of this setup:

What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.

The prevailing theory is that NotPetya was made to destroy files, not ransom them, and that its operators simply made the attack seem like a ransomware campaign. This distracted victims from the campaign's true purpose and all but guaranteed the attack would receive plenty of news coverage. Maybe the operators' hope was to give NotPetya enough time to reach its intended victims; maybe they simply wanted to cause a little more mayhem by hiding their true intentions. Either way, they managed to pull the wool over the world's eyes, at least for a little while.

There is some good news: Researchers have also discovered a "vaccine" that can protect devices from NotPetya. It doesn't work on devices already affected by the malware--just like getting a measles vaccine after you catch measles won't help you--but this digital vaccine could reduce NotPetya's scope. Bleeping Computer has all the details, but the gist is that NotPetya looks for a specific file before it encrypts a device. If it finds that file, the encryption process never starts, likely because its operators wanted to make sure they wouldn't be infected by their own malware.

Check out our previous coverage of this campaign to learn more about its connections to WannaCry and how tech companies have responded to the attack. We'll continue to peer through this technological looking glass as more information about GoldenEye / Petya / NotPetya comes to light.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
7 comments
Comment from the forums
    Your comment
  • jtd871
    Let's see, who doesn't like Ukraine? Oh, yeah! Russia!
    1
  • Daekar3
    I'm getting tired of blaming Russia for things when we have no evidence. Can we start blaming someone else? There are plenty of options: a number of Middle Eastern countries, North Korea... How about one of the South American dictatorships? Venezuela is a dysfunctional oppressive Socialist regime, they'd be a good choice. Or Canada. Yes, we can always blame Canada.
    8
  • artk2219
    Anonymous said:
    I'm getting tired of blaming Russia for things when we have no evidence. Can we start blaming someone else? There are plenty of options: a number of Middle Eastern countries, North Korea... How about one of the South American dictatorships? Venezuela is a dysfunctional oppressive Socialist regime, they'd be a good choice. Or Canada. Yes, we can always blame Canada.


    Still not entirely sure on the /s on this one, but the blame Canada is a good hint :).
    0