Those responsible for the Petya cyberattack that began Tuesday in Ukraine and Russia don't appear to be in it for the money, some security researchers have concluded. The new malware might also have a different source than the original Petya ransomware, which made its first appearance in 2016.
These are just a few of the new details emerging about the malware that has affected at least 12,500 machines around the world, crippling systems operated by the Kiev airport, Russian energy firm Rosneft, Danish shipping giant Maersk, international marketing firm WPP, and even the chocolate-maker Cadbury. For example, to continue taking bookings from shipping customers, Maersk reverted to handling orders manually, the shipping site Splash 24/7 reported.
While Petya first appeared to be ransomware, which encrypts a victim's computer files and demands payment for decryption, the malware seems more likely to have been intended to cause chaos, researchers at Kaspersky Lab and Comae Technologies said during a webinar yesterday. With the creator of the original Petya ransomware calling the new malware "notpetya," investigators are also seeking to identify which individuals, organizations, or state actors might be responsible for this week's attacks. The malware has also been dubbed Nyetya, Pnyetya, and PetrWrap.
'A Wiper Not Ransomware'
"After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims' disk, even if a payment was made," Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov wrote Wednesday on the company's SecureList blog. "This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware."
Matt Suiche, founder of Comae Technologies, reached the same conclusion, noting in a commentary on Medium Wednesday that Petya.2017 is a wiper not a ransomware.
"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," Suiche said, referring to a wiper malware that hit tens of thousands of Saudi Aramco machines in 2012. "The attacker took an existing ransomware which he repackaged."
In addition to having a large number of Petya victims, Ukraine has also recently been hit by a power grid attack and a car bombing that killed a Ukrainian military intelligence officer, Suiche added, suggesting that Petya might be "pretending to be a ransomware while being in fact a nation state attack."
One of the early vectors for spreading the Petya infection appears to have been MeDoc, accounting software used by tax-paying businesses in Ukraine. Some international companies that do business in Ukraine also use the MeDoc software.
"Interestingly, it seems that Maersk was also using MeDoc," a security researcher who goes by the online name the grugq wrote Tuesday in a post on Medium. "In fact, everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two approved accounting software packages.) So an attack launched from MeDoc would hit not only Ukraine’s government but many foreign investors and companies.
'Attack Could Have Been Prevented'
"There is currently little chance files can be recovered by paying the ransom," MalwareTech, the British security researcher who helped put a stop to last month's WannaCry attack by activating that ransomware's built-in kill switch, said on his blog this week. However, Amit Serper, a researcher at the cybersecurity firm Cybereason, identified a "vaccination" method that could kill the Petya infection before it began encrypting files.
"There are a few interesting things to say about the current ransomware Petya," the cybersecurity company Kryptos Logic added Wednesday in a blog post. "One thing is clear, there is no 'kill-switch.'"
Like WannaCry, Petya acts via "EternalBlue," a Microsoft vulnerability that was exploited for years by the National Security Agency before being stolen and then revealed by the Shadow Brokers hacking group in April. Such attacks can be prevented by keeping up to date with system updates, many security experts have noted.
"This attack could have been avoided, and the ones we will see in the future can be avoided too," the security company Check Point said Wednesday on its blog. "With more than 93% of enterprises failing to deploy the technologies available to protect them from these kinds of attack it is not surprising that they are spreading so quickly. As such business must deploy the solutions that prevent these types of attacks, and keep their security patching regimes up to date."