By John Ahearne, Forensic Analyst When data is is needed for use as evidence, it…
Petya/ExPetr was Data Killer, Not Ransomware
By Michael Hall, Chief Information Security Officer
The malware attack that started in Eastern Europe in late June and quickly spread around the globe looks like it was not a ransom attack at all, but an all-out effort to destroy data, according to a security company that examined the program’s code.
At first, it looked like the attack that was detected on June 27 was similar to the Petya ransomware virus that emerged in 2016. With that software package, infected customers had to pay a ransom to the hackers to unlock their encrypted files.
Now it looks like the new software, dubbed Petya/ExPetr, does not contain any decryption information, leading the researchers at Kaspersky Labs to conclude the main reason for the attack was to wipe or destroy computer content, not to collect a ransom.
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disks, even if a payment was made,” Kaspersky Labs said in a blog post.
“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”
The security firm called this a “worst-case” situation for victims because even if they pay the ransom they will not get their data back. The Kaspersky blog added, “this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”
Matt Suiche, a researcher with another security firm, Comae Technologies, reached the same general conclusion. “This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Suiche wrote. “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”
Like the recent WannaCry malware, Petya/ExPetr used the EternalBlue Windows exploit, created by and then stolen from the United States National Security Agency (NSA), to enter computers that had not already been updated with the targeted Windows patch. Unlike WannaCry, however Petya/ExPetr encrypted whole hard drives rather than individual files. In addition, this malware was programmed with advanced worm capabilities. This allowed the malware to quickly spread to networked computers once an unpatched computer had been infected, including those that had already been successfully patched with updated Windows security.
Three quarters of the victims of Petya/ExPetr were located in Ukraine, where the attack initiated. Targets included Ukraine’s central bank, main international airport and the Chernobyl nuclear facility. From there, it spread to sixty-five countries around the globe, including some businesses in the United States such as multinational law firm DLA Piper, the Pennsylvania health care provider Heritage Valley Health Systems and pharmaceutical company Merck.
There is a simple way to protect your organization against a malware attack like Petya/ExPetr and others: Apply security patches immediately.
All organizations should have a clear and updated list of all company devices and devices connected to company computers, such as employees’ personal devices that connect through services such as VPNs. When security patches become available, the organization’s IT department must check off each device on the list to be sure all possible entry points are protected.
In addition to keeping up with security, operating system and program updates, it is important to use and maintain antivirus and anti-malware software. Be sure to also install updates to these programs whenever they become available.
Ransomware Takes a New Turn—How WannaCry was Different
Cybercrime Forecast: Upswing in 2017