Petya may indicate the start of real cyberwar. This week’s newest ransomware attack is technically similar to the WannaCry (aka WannaCrypt) cyberattack. However, the intent, and the results, are quite different – one wants to make money, the other to destroy data.
Both Petya and WannaCry are the results of an exploitable flaw in many versions of Windows. Microsoft learned about the flaw after NSA data was stolen, and quickly issued an effective patch. However, many customers have not installed the patch, and therefore, their systems remained vulnerable. Making the situation more complicated, many of those Windows system used pirated versions of the operating system, which means that the system owners may not have been notified about the vulnerability and patch – and not all may have been able to install the patch in any case, because Microsoft verifies the license of Windows during upgrades.
As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release signatures to detect and protect against the malware.
Based on our investigation, the malware was initially delivered via a Ukrainian company’s (M.E.doc) update service for their finance application, which is popular in Ukraine and Russia. Once the initial compromise took hold, the ransomware used multiple tools in its arsenal to spread across impacted networks. If unpatched, the malware uses vulnerabilities CVE-2017-0144 and CVE-2017-0145 to spread across networks. Microsoft released MS17-010 in March that addressed the vulnerabilities exploited by Petya. If that technique was not effective, the malware uses other methods like harvesting of credentials and traversing networks to infect other machines. (read the Microsoft Malware Protection Center analysis here for more details.)
The information from the Malware Protection Center goes into considerable technical detail – it’s fascinating, and worth reading if you like that sort of thing.
Analysts now believe that Petya is something new: The malware pretends to be plain old ransomware – but is actually intended to steal passwords and destroy data. In other words, it’s a true weaponized cyberattack. To quote TechCrunch:
Petya appears to have been modified specifically to make the encoding of user data irreversible by overwriting the master boot record. The attackers’ email address also appears to have been taken offline, preventing ransoms from being paid.
Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.
Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.
Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”
After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.
This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.
Petya: A Test for Bigger Cyberwarfare?
There is considerable chatter that Petya is a test to see how well this specific malware distribution methodology works, with a nasty but limited malicious payload primary intended to harm Ukraine. It’s clear that the methodology works, and as long as administrators put off patching their servers, these sorts of attacks will succeed. The next one might be a lot nastier. First WannaCry, then Petya. What’s next?