NotPetya Wiper Disguises as Ransomware

This week has been quite eventful for the cyber community, as a new massive infection swept across computer systems worldwide. Computer security experts are still baffled about how they should call this new infection, but we are going to use the NotPetya keyword for simplicity’s sake. Mind you; you may also find information on the same attack if you search for ExPetr, PetrWrap, and GoldenEye. All these names are also used to denote the malicious program. At the same time, the abundance of the names used only to prove that there has been quite a lot of confusion about this outbreak, and we are going to try to address that.

NotPetya Ransomware?

The infection first struck systems in the Ukraine and then spread around the globe. According to various news reports, more than 1,500 requests have been received by the Ukraine’s cyber police by this Thursday, asking for help. Those were both, individuals and companies affected by the attack.

While the core of the infection is in Ukraine, reports say that 65 countries have been affected by this outbreak, as well, including Belgium, Brazil, Germany, Russia, and the United States. To illustrate the scope of the infection, we can say that NotPetya crippled computer systems at airports, financial companies, factories, various offices, ATMs, and even in medical centers.

At first glance, this looks like another wave of ransomware infections, especially if you consider that WannaCry went like fire through global computer systems just a month ago. But it also seems that whoever created this new infection wanted everyone to think that it was yet another ransomware.

Researchers also suggested that it could be a new version of the Petya Ransomware that made rounds last year, judging by the similarities in the malicious code. However, after a further investigation, it was determined that the new infection is definitely not related to Petya Ransomware, and hence the name NotPetya.

Ransomware Masquerade

Why would the attackers want us to think that NotPetya is a ransomware infection? The chances are they want to hide behind the WannaCry veil that is still rather thick after the notorious performance last month. The initial impression that this is a ransomware affair is probably a smokescreen, devised to capitalize on the media interest in WannaCry Ransomware. It is almost as though the criminals wanted to hide their tracks, by making the researchers look the wrong way. Various news reports suggest that this is how a state-level attacker wanted to evade being pegged.

So, to put it simply, extortion is not the main objective in this case. Instead, NotPetya focuses on sabotage, and there is further evidence that proves just how inconvenient this application could be as a ransomware infection.

First, we have to take into account the fact that ransomware programs are usually created in a way that would eventually allow the infected user to restore their files. Researchers say that the final installation ID for a decent ransomware program normally contains encryption information that later on has to be used for file decryption. Now, in NotPetya’s case, there is no coherent information in the ID, and the data is absolutely random. Thus, it technically not possible to decrypt the affected files even if there was such thing as the decryption key.

What’s more, the program comes only with one Bitcoin wallet address. Normally, ransomware programs have more than just one Bitcoin address because it is physically taxing to manage payments via one wallet. Also, via NotPetya, users are forced to enter a very long and hard email address by hand, which would logically only push them away from transferring the payment. Finally, the email used by this infection has been blocked by the German email service provider company, and thus, all the ways for possible file decryption have been blocked. But we have already established that there was no way to restore the affected files in the first place.

NotPetya Wiper

Here we come to the current consensus among security researchers. They now agree that this new infection is probably a wiper. It means it has been created for sabotage, to destroy data. Of course, it might look like a ransomware because it demands users to pay $300USD in Bitcoins (no more than $10,000USD have been collected so far), but we already know that it is just a hoax.

And since it looks like a ransomware infection, researchers initially thought that NotPetya spreads through spam emails. However, the installer for this program actually piggy-backs with an update from an accounting firm M.E.Doc. It manages a tax accounting application that is used by almost all companies in the Ukraine. What’s more, the rigged update is not the only one to blame for this. Security services have found that one ISP hosting service might also have been part of the NotPetya distribution network. As a result, the hosting company is already under investigation by Ukrainian security authorities.

Compared to WannaCry Ransomware, this program is a lot more targeted. It is not erratic. It looks like it knows exactly what it wants to infect, and thus the assumption that the program is created to destroy data on target computers only grows stronger. On top of that, unlike the WannaCry infection, NotPetya does not have a switch that would allow us to kill it. It is a lot harder to neutralize it, and even the newest security patches may not help to avoid this infection.

Who Is at Fault?

We know for sure that the original Petya creators are not the ones who released NotPetya in the wild. Shortly after the onslaught, Janus Cybercrime Solutions have tweeted that they would be willing to work on cracking this encryption. We already know that this offer is futile, but it sure shows that there is no correlation between the ransomware program from last year and this new attack.

Security researchers are not so hasty to point fingers, but Ukraine blames Russia for this attack. Keeping in mind the hybrid warfare between the two countries, this claim could be plausible. However, other researchers say that two Russian business giants with operations in Ukraine have also been hit by this infection, and so it would be too far-fetched to say that the Russian government orchestrated this attack. On the other hand, when the stakes are high, it would be quite plausible to believe that the two companies could have been a collateral damage.

It is obvious that NotPetya poses new questions to security experts, as this type of infection is clearly more dangerous than our usual ransomware applications. It is only a matter of time until a similar attack occurs again.

References:

  1. Dell Cameron. Crime Group Behind “Petya” Ransomware Resurfaces to Distance Itself From This Week’s Global Cyberattacks. Gizmodo.
  2. Bill Chappell. ‘Petya’ Ransomware Hits At Least 65 Countries; Microsoft Traces It To Tax Software. NPR.
  3. Dan Goodin. Tuesday’s massive ransomware outbreak was, in fact, something much worse. ArsTechnica.
  4. Reuters. Police Suggest Petya Ransomware Attack Was a Distraction. Fortune.
  5. Tom Spring. ExPetr Called a Wiper Attack, Not Ransomware. ThreatPost
  6. William Suberg. You Betcha Not Petya: New Cyberattack Neither Petya Nor Bitcoin Ransomware. TheCointelegraph.