As more details emerge about Tuesday’s massive ‘Petya’ ransomware outbreak security researchers are leaning towards the theory it was designed to wipe systems rather than make money.
If the Petya/NotPetya ransomware attackers were really after money why would they make it so difficult for victims to pay? Why use an email address for supplying the decryption key that could be disabled, as it was, within hours of the outbreak? And would a savvy criminal use a single Bitcoin wallet that can be easily monitored by police?
While international giants like Maersk, FedEx’s TNT Express, Australia’s Cadbury and many other firms were impacted by Petya/NotPetya , there’s a growing set of indicators that the attack was specifically aimed at disrupting computer systems in the Ukraine under the guise of a financially motivated ransomware attack.
The attacks started in the Ukraine and Russia, but systems in the Ukraine have been the most widely affected. Ukraine’s Cyber Police reported today it had received 1,500 reports of NotPetya infections. It’s also received official statements from 152 business and 26 public sector organizations regarding NotPetya disruptions.
Microsoft confirmed that some of the earliest infections stemmed from a comprised update from the Ukrainian accounting software package MEDoc. The software is one of two authorized accounting programs for tax-paying organizations in the Ukraine.
Matte Suiche, founder of Comae Technologies, concluded the ransomware is a wiper rather than financially driven ransomware after comparing a version of Petya from 2016 to the one unleashed this week. As Microsoft noted in its analysis, NotPetya shares some similarities to the 2016 variant but is more sophisticated.
Despite the apparently superior development effort behind NotPetya, Suiche found the earlier variant correctly modified the disk so changes could be reversed, whereas the 2017 variant causes permanent damage to the disk.
The second indicator this was not a money making exercise is that the email address victims were supposed to use to confirm payment and receive the decryption key was disabled. This happened within hours of the attack’s launch on Tuesday.
Kaspersky researchers came to the same conclusion as Suiche but analyzed the unique installation key displayed in the ransom message on each infected machine. Again, if victims could send this to the attacker’s email address, they would not be able to receive a unique decryption key. That’s because the ID’s string of characters was just random data, not a uniquely generated ID key. In previous versions of Petya this was done correctly, offering victims a way to acquire a recovery key.
“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” wrote Kaspersky researchers.
“This is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”
Information security researcher the Gruqq came to the same conclusion. Before Suiche and Kaspersky published their respective analyses, he noted the payment pipeline for this malware was so poor that it may as well have asked victims to pay a cheque by post.
“The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”
The main priority of NotPetya’s developers it seems was rapid propagation aimed at any organization that does business in Ukraine.
Gavin O’Gorman from Symantec’s Security Response team also believes the malware was far better effective at disrupting victims and sowing confusion in Ukraine than it was at earning money.
“Non-Ukrainian organizations were affected, however, this may have been unintentional. There was no attempt to spread across the internet by attacking random IP addresses,” he noted in a Medium post.