Emerging Consensus: ‘NotPetya’ Was Built to Kill Disks, Not Ransom Them The single email address for ransom payments to NotPetya creators was quickly blocked by email host Posteo. (Image: Mikko Hypponen)
Computer security experts say the file-encrypting malware that wreaked havoc worldwide starting on Tuesday was likely never intended to make its creators rich. Instead, the malware appears to have been designed to wipe data on PCs and ensure that there is no chance that it could ever be recovered.
Analysts continue to pick apart “NotPetya,” which loosely resembles another type of ransomware that emerged last year called Petya. NotPetya is also being called SortaPetya, Petna, ExPetr, GoldenEye and Nyetya.
All of NotPetya’s mysteries have yet to be unraveled, as computer security experts attempt to extract clues and possibly infer intent from the code. But there is a rapidly emerging consensus that NotPetya was not designed to be a moneymaker.
“The main point is that the ransomware is a cover,” writes Matt Suiche, managing director of Dubai-based incident response firm Comae Technologies. “Now we can say this conclusion [is] based on multiple technical attributes.”
Ransomwares and hackers are becoming the scapegoats of nation state attackers. Petya is a wiper not a ransomware.https://t.co/lkrfWMw2Zl
— Matthieu Suiche (@msuiche) June 28, 2017
Camouflage For What?
After first striking government agencies and businesses in Ukraine on Tuesday, NotPetya spread to more than 60 other countries and infected thousands of Windows computers. The attack was launched just before Constitution Day in Ukraine, which is June 27 (see Massive Malware Outbreak: More Clever Than WannaCry).
Ukraine has seen a steady steam of cyberattacks, including against its power stations, as tensions continue to simmer over Crimea, which Russia annexed in 2014.
Oleh Derevianko of Information Systems Security Partners, a Ukrainian security company, writes on Twitter that “we pretty much agree” with the idea that NotPetya “wasn’t a ransomware attack.”
So if NotPetya is camouflage for some other operation, as Suiche suggests, what was its creators’ goal?
Theories abound. Derevianko, for example, suggests in a tweet that “this invasion has multiple purposes – from ‘destroy now’ to ‘clean up’ evidence of previous APTs and training coordinated cyber operations.”
Pervasive Payment Flaws
Problems with the malware would appear to bear out these theories.
For example, infected computers display a message asking for $300 in the virtual currency bitcoin. Victims are supposed to send an “installation ID” that’s displayed on a locked computer’s screen to an email address controlled by the attackers.
Ransom note attached to NotPetya. (Source: Microsoft)
With most ransomware attacks – at least the ones that appear to generate profits for cybercriminals – each victim gets supplied with a unique bitcoin address, to help attackers know who has paid. But NotPetya gives the same address to every victim. Furthermore, the listed email was an account hosted by the German company Posteo, was quickly shut the account down, thus making it impossible for victims to reach the attackers.
Even if a victim paid the ransom, security firm Kaspersky Lab suspects that NotPetya’s developers can’t decrypt any computers.
And there’s yet another flaw, which the Russian company detailed in a blog post on Wednesday. In the case of NotPetya, the installation ID, which a victim who has paid must furnish to the attackers, so they can reveal the decryption key to a victim, is comprised solely of random data.
“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov write.
True Aim: Wiping
Rather than functioning as ransomware, both Kaspersky researchers believe NotPeyta is closer in purpose to being a “wiper,” or a type of malware that intends to wreck computers by overwriting or erasing critical parts of the operation system. Suiche, writing in a blog post, agrees with this assessment.
Wiper code has previously been seen used, and to devastating effect. In 2012, wiper malware rendered thousands of computers unusable at state-backed oil producer Saudi Aramco. The next year, wiper malware was deployed against Linux machines running inside South Korean banks and media companies. And in 2014, Sony Pictures Entertainment suffered a wiper malware attack, unleashed after sensitive emails as well as digital copies of movies had been stolen, which attackers then proceeded to leak.
What is potentially confusing about NotPetya is that its behavior, at least initially, resembles most ransomware. First, it encrypts a user’s files. Next, it becomes more invasive, by attempting to encrypt the Master Boot Record, which is a critical part of the operating system. After that, the ransomware sets the computer to reboot at a random time – at least 10 minutes later. When the computer reboots, the malware encrypts the Master File Table in Windows – a database containing information about every file and directory on the system.
So far, it’s not clear if NotPetya not only encrypts the MBR, but intentionally corrupts it, and there have been some related disagreements – with running commentaries posted online – between Suiche and British security researcher Marcus Hutchins, aka MalwareTech, amongst others.
Regardless, the rapidly emerging consensus – voiced by both Suiche and Hutchins – is that NotPetya is designed to sow chaos.
“I do believe the purpose behind NotPetya was to cause disruption, not make money,” Hutchins says.