Petya Ransomware Campaign May Have Been Neither Of Those Things
When is ransomware not ransomware? That philosophical question has been raised by what some are calling NotPetya, which was previously thought to have been a ransomware campaign in the vein of WannaCry. New research has suggested, however, that NotPetya is NotThatSimple.
Our stumble down this rabbit hole started when Bitdefender reported that a new member of the GoldenEye ransomware family was spreading around the world. The company said that this ransomware encrypted individual files and NTFS libraries while also forcing affected devices to reboot. This left victims with only one option--pay the $300 worth in Bitcoin demanded by the ransomware's operators. Microsoft later said that devices in over 64 countries were affected by June 27--more than 12,500 of which were in the Ukraine, where the campaign was first detected.
Questions about the "ransom" part of this "ransomware campaign" arose soon after. It turned out the NotPetya operators used a public email address provided by Posteo for their ransom demands. Posteo shut down the email account, which meant the operators could no longer receive emails from their victims or provide decryption keys in return, effectively making it so affected devices would stay compromised. That was especially damaging because the victims include hospitals, radiation monitoring systems, and other critical infrastructure around the world.
Pseudonymous infosec researcher "the grugq" questioned this aspect of the "ransomware campaign" in a June 27 blog post:
Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of 'send a personal cheque to: Petya Payments, PO Box …')The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'
Evidence of that duplicity arose on June 28, when Kaspersky Labs revealed that "the threat actor cannot decrypt victims’ disk, even if a payment was made." This was true even before Posteo shut down the operators' email account--Kaspersky said the attackers simply had no way of retrieving critical information required to give victims a functioning decryption key. (This is one of the reasons why you're advised not to pay up if you fall victim to ransomware.) The operators weren't holding computers for ransom so much as they were rubbing salt in an open wound.
Here's what Kaspersky said about the implications of this setup:
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.
The prevailing theory is that NotPetya was made to destroy files, not ransom them, and that its operators simply made the attack seem like a ransomware campaign. This distracted victims from the campaign's true purpose and all but guaranteed the attack would receive plenty of news coverage. Maybe the operators' hope was to give NotPetya enough time to reach its intended victims; maybe they simply wanted to cause a little more mayhem by hiding their true intentions. Either way, they managed to pull the wool over the world's eyes, at least for a little while.
There is some good news: Researchers have also discovered a "vaccine" that can protect devices from NotPetya. It doesn't work on devices already affected by the malware--just like getting a measles vaccine after you catch measles won't help you--but this digital vaccine could reduce NotPetya's scope. Bleeping Computer has all the details, but the gist is that NotPetya looks for a specific file before it encrypts a device. If it finds that file, the encryption process never starts, likely because its operators wanted to make sure they wouldn't be infected by their own malware.
Check out our previous coverage of this campaign to learn more about its connections to WannaCry and how tech companies have responded to the attack. We'll continue to peer through this technological looking glass as more information about GoldenEye / Petya / NotPetya comes to light.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
USB-C cable CT scan reveals sinister active electronics — O.MG pen testing cable contains a hidden antenna and another die embedded in the microcontroller
Hackers breach Wi-Fi network of U.S. firm from Russia — daisy chain attack jumps from network to network to gain access from thousands of miles away
-
Daekar3 I'm getting tired of blaming Russia for things when we have no evidence. Can we start blaming someone else? There are plenty of options: a number of Middle Eastern countries, North Korea... How about one of the South American dictatorships? Venezuela is a dysfunctional oppressive Socialist regime, they'd be a good choice. Or Canada. Yes, we can always blame Canada.Reply -
artk2219 19880192 said:I'm getting tired of blaming Russia for things when we have no evidence. Can we start blaming someone else? There are plenty of options: a number of Middle Eastern countries, North Korea... How about one of the South American dictatorships? Venezuela is a dysfunctional oppressive Socialist regime, they'd be a good choice. Or Canada. Yes, we can always blame Canada.
Still not entirely sure on the /s on this one, but the blame Canada is a good hint :). -
mavikt I'd blame the US; Who constructed this sieve of an OS in the first place? It's a riddle!Reply -
Serban13 I would say that the CIA made this so they can blame it on North Korea. This way that have a reason to attack them finaly.Reply -
isan1001 And *I* am getting sick of Russians coming onto social media and lying about this. 16 US government agencies say Russia committed cyberattacks against America., Comrade.Reply
Stop your damned lying.
-
synphul 19885270 said:And *I* am getting sick of Russians coming onto social media and lying about this. 16 US government agencies say Russia committed cyberattacks against America., Comrade.
Stop your damned lying.
Not trying to get political or anything but the whole bit about 16 or 17 U.S. intelligence agencies confirming cyber attacks from Russia as it related to the recent election - is a lie perpetuated by many media sources who since have had to make retractions. There were only 4 agencies that were in agreement and many of the others were in disagreement with that assessment. Even the main 4 weren't in total agreement.
Just wanted to clear that up since it's been so widely repeated and been confirmed to be false.