Global ransomware attack was meant to be destructive, not collect money
A global ransomware outbreak Tuesday was inherently designed to be destructive in nature, according to private sector cybersecurity researchers.
An analysis of a unique variant of Petya ransomware conducted by Comae Technologies’ Matthieu Suiche reveals that computer code in the June 27 version of the malware is different than previous samples which were tied to incidents involving monetary gain. The primary difference between past Petya variants and Tuesday’s malware comes in the form of a small block of code that effectively commands the virus to “erase the Windows system’s Master Boot Record (MBR) on default,” said Suiche.
“After comparing both implementations, we noticed that the current [implementation] that massively infected multiple entities in Ukraine was in fact a wiper, which just trashed the 25 first sector blocks of the disk,” Suiche wrote in a blog post.
The new version of Petya, dubbed “NotPetya,” effectively demolishes a key function of the victim computer’s boot process even before a victim has the chance to read any ransom demands.
“Ransomware needs the ability to restore the MBR,” Suiche told CyberScoop. “A wiper makes it so that files can’t be restored .. typically ransomware will decrypt files if you pay, or restore the MBR if you pay. This doesn’t do that. It’s destructive.”
The motive for this expansive cyberattack quickly became a hotly debated topic on social media among security researchers.
Analysts closely monitoring Petya’s spread — an impact that crippled companies in Ukraine, France, Russia, Spain and the U.S. — have been casting doubt on the idea that the ransomware was designed by cybercriminals to collect money.
“The goal of a wiper is to destroy and damage. The goal of ransomware is to make money. Different intent. Different motive. Different narrative,” Suiche explained.
Elements of the ransomware were poorly configured in such a way that receiving payment didn’t seem to be a priority for the hackers, according to Intel471 founder Mark Arena.
“The ransomware message was the same for all victims, used the same bitcoin wallet and provided a web email address that was promptly taken down by the web email provider,” Arena said. “In our opinion, the attacker or attackers clearly showed no interest in decrypting the files for victims that paid them.”
The contact email address left by the hackers for victims to reach out to unlock an encrypted system was registered through a public web platform, meaning that the email address was not hidden or blocked from access by administrators.
Within hours of Tuesday’s outbreak, the email provider predictably shut down the account, making it impossible to authorize a decryption. The hackers would have likely understood this would happen — a logical assumption that adds to to the idea that this wasn’t a financially motivated attack.
In addition, because of the relatively targeted nature of the Petya outbreak — having been largely contained to organizations directly working with Ukrainian companies that interface with financial software developer M.E.Doc — some analysts say the disruption was directly meant to specifically handicap the country in the days before a national holiday.
Tensions between Russia and Ukraine have been high in recent months.
“We believe with medium confidence that [NotPetya] is not a ransomware campaign but was intended to cause wide scale damage to organizations in Ukraine,” Arena said. “We base this assessment on the advanced capability of the threat actor or group with M.E.Doc’s update system being compromised and used to spread the malware, the malware itself and it’s spreading capability.”
In an email to CyberScoop, a Kaspersky Lab spokesperson sent the follow statement regarding the company’s latest analysis of NotPetya:
“We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim’s disk threat actors need the installation ID. In previous versions of ‘similar’ ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery. [NotPeyta] does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.”
Kaspersky Lab’s findings further support the notion that Tuesday’s ransomware outbreak was not designed to collect ransom payments.
