Petya’s Ransomware Cloaking Device

Recent ransomware threats have escalated into a global crisis, and cybersecurity experts and government authorities have redoubled their investigative efforts. Of grave concern is the possibility that the recent Petya attack had more sinister motives than typical ransomware operations, and that state actors were involved behind the scenes.

The Petya attack — which disrupted major government agencies, infrastructure sites, multinational companies and other organizations — actually used the cover of a ransomware attack to deploy a more malicious exploit, called a “wiper,” that paralyzed thousands of computers and destroyed data in dozens of countries around the world, some leading cybersecurity experts have concluded.

The National Cyber Security Centre, which operates within the UK’s GCHQ intellligence agency, late last month raised questions about the motives behind the attack, saying it had found evidence that questioned initial judgments that collecting ransoms was Petya’s chief goal.

The financial motivation was questionable early on, based on critical evidence seen during the intial outbreak of the attack, noted Vikram Thakur, technical director at Symantec.

Ukraine Connection

The large number of victims located in Ukraine and the fact that the infection vector was software primarily used there raised suspicions, he told the E-Commerce Times.

Further, “the single bitcoin wallet payment method, use of a single email for decryption communications, absence of a C&C (command & control server), encryption of files with extensions primarily used by businesses, the wiping of the MBR, along with the randomly generated key displayed to the victim, all contributed to the belief that the attacker did not expect to receive ransom in exchange for decryption keys,” Thakur said.

The single email was a key concern of researchers. German provider Posteo shut down the email used by the hackers as the sole means of contact, which professional hackers would have expected to happen. They would have established more than one potential means of collecting ransom and then releasing data back to victims.

Kaspersky Lab, one of the first cybersecurity firms to publicize the true nature of the attack, posting on June 28 that the Petya malware attack was a wiper disguised as ransomware.

“Our analysis indicates that ExPetr/NotPetya (additional names of the Petya exploit) has been designed with data destruction in mind,” the firm said in a statement provided to the E-Commerce Times by spokesperson Jessica Bettencourt.

“To launch this attack, its authors have carefully created a destructive malware disguised as ransomware,” Kaspersky noted. “While some parts of this destructive malware still operate as original building blocks, meaning they might be mistaken for ransomware, their true purpose is destruction — not financial gain.”

“Ransomwares and hackers are becoming the scapegoats of nation state attackers,” tweeted Matthew Suiche of Comae Technologies, who separately came to the same conclusion as Kaspersky.

State Sponsorship?

The suspicion of nation-state involvement goes beyond idle speculation. The NATO Cooperative Cyber Defense Centre of Excellence made a similar assessment and raised the specter of invoking Article 5, possibly designating the cyberoperation as similar to an armed attack that would invoke a military response.

“In the case of NotPetya, significant improvements have been made to create a new breed of ultimate threat,” said Bernhards Blumbergs, a researcher at the CCD COE.

For the latest attack, the malware was developed more professionally than the “sloppy WannaCry,” he noted. Instead of searching the entire Internet, the malware searches for new hosts to infect, going deeper into local computer networks.

The attackers used the stolen EternalBlue exploit that the Shadow Brokers stole from the National Security Agency, the CCD COE confirmed.

The attack was too sophisticated for unaffiliated hackers to put together as a practice run, its researchers concluded.

Further, it was unlikely that cybercriminals were behind the attack, as the method for collecting ransom was so poorly designed that they would not have been able to collect enough to cover the cost of the operation, they pointed out.

While the think tank is accredited by NATO and financed by member nations, it does not speak on behalf of the alliance, a spokesperson for the CCD COE told the E-Commerce Times.

Neither WannaCry nor Petya utilized sophisticated revenue-collection methods, which suggests the campaigns may have been designed for “geopolitical deception or information operations designed to sow chaos in a rival political information space,” Kenneth Geers, a NATO CCD COE ambassador, told the E-Commerce Times.

Russia was behind the Petya attack, according to the Ukrainian security agency SBU. The malware impacted numerous Ukranianan business and infrastructure targets, including the international airport and Chernobyl nuclear plant, before spreading worldwide.

Petya exhibited similarities to the 2016 Black Energy attacks that hit the Ukranian power grid, the SBU pointed out.

Extensions used in the recent attack were very similar to those of BlackEnergy’s KillDisk wiper in 2015 and 2016, Kaspersky researchers noted.

In collaboration with Palo Alto Networks, Kaspersky found certain similarities in code design, but the firms could not say for certain whether there was an exact link.

“As in the case of WannaCry, attribution is very difficult, and finding links with previously known malware is challenging, said Costin Raiu, director of Kaspersky’s global research and analysis team.

“We are sending an open invitation to the larger security community to help nail down — or disprove — the link between Black Energy and Ex Petr/Petya,” he told the E-Commerce Times.

The Petya outbreak displayed similarities with the 2016 Ukraine attack, said Anton Cherepanov, ESET malware researcher.

There were links to the TeleBots used against Ukrainian financial institutions, he told the E-Commerce Times, as well as a Linux version of the KillDisk malware the attackers deployed.

North Korea is the likely culprit behind the WannaCry attack, in the view of a number of cybersecurity experts who noted code similarities to the 2014 Sony hack.

“North Korea is isolated and already under tight international sanctions, so cyberattacks offer Pyongyang the opportunity from time to time to sucker punch the west,” said Kaspersky’s Raiu.

However, nailing down the attribution for the Petya attack has been more difficult than tracing the Sony attack’s origins, he suggested.

No Way to Collect Ransom, No Way to Restore Data

U.S. officials have not attributed the attack publicly to any particular organization or state, but the Department of Homeland Security’s U.S. Computer Emergency Readiness Team earlier this month put out an alert with a technical analysis on the Petya malware attack, which DHS still referred to as “ransomware.”

The Petya variant encrypts victim’s files with a dynamically generated 128-bit key and creates a unique ID for the victim, the report states.

There is no apparent relationship between the victim’s assigned ID and the encryption key, which means there may be no way to decrypt files even if a ransom were paid, it notes.

The Petya variant uses the SMB exploit, as described in the Microsoft MS17-010 security update issued in March, along with a modified version of the Mimikatz tool, which can be used to obtain a user’s credentials, according to DHS.

The damage Petya caused to public infrastructure and private businesses was extensive. Global shipping company A.P. Moeller-Maersk issued an update at the end of June saying it expected to return to an almost-normal operational environment by July 3, but warned it would take longer to restore all applications and workstations.

Maersk IT chose to shut down all systems during the attack to contain the issue, Signe Wagner a spokesperson for the company, confirmed to the E-Commerce Times.

She did not have access to her own email for several days, she said.

Merck & Co. confirmed that it was hit by the malware despite having installed updated patches, but noted that it had implemented business continuity plans.