The intriguing case of NotPetya
On Tuesday evening another large-scale ransomware attack hit Europe – or so we thought. A few days on, the case of Petya – or NotPetya, as it has become known – is still full of interesting little details and intriguing questions that we may never know the full answers to.
There’s a lot of coverage of this campaign out there – check out The Register‘s excellent rundown if that’s what you’re looking for – but I thought I’d pick out some details that stood out to me.
It quickly became clear that one of the malware’s primary distribution methods was through the update servers of a piece of software called MeDoc. This package is one of only two products that firms in Ukraine can use to file their taxes, so the resulting infection hit many organisations.
I previously wrote about the potential negative effects of attacks through malicious updates. If this is something we’re going to see more of in the coming months then users could grow increasingly suspicious of vendors’ updates – perhaps even sticking to vulnerable software instead of updating – and the only people who want to see that happen are the bad guys.
Fool me once…
From that point, one of NotPetya’s means of propagation included exploiting the EternalBlue vulnerability – the same one that aided the spread of the WannaCrypt ransomware and that was patched by Microsoft a while ago. Surely everyone had installed the fix and was safe, right?
Well, no. The malware was smarter than that. Although you’d assume most security teams patched their systems following the last mass outbreak, it turned out that NotPetya only needed one vulnerable and privileged computer to infect a whole organisation. Once it had infected that PC, it would steal credentials and spread via psexec and WMIC.
Keep your friends close…
Another interesting aspect of the attack is that – unlike WannaCrypt – NotPetya was only designed to spread internally. This meant it entered companies’ networks, compromised a system, and then focused its efforts on spreading to other machines within the same network.
This raises some interesting questions when it comes to the attackers’ motivations. NotPetya was primarily distributed to users of software used for processing taxes in Ukraine and was not equipped to spread via the internet. Doesn’t that suggest that Ukraine was a specific target here?
A wiper in ransomware’s clothing
Eventually, it turned out that NotPetya wasn’t ransomware at all – or at least it was unlikely to have been designed to be used that way. Victims were only given one email address to contact to pay the ransom, which was quickly shut down. This meant there was no way for the attackers to receive payment, which was either a foolish move or a sign that their focus was elsewhere.
Closer analysis of the malware revealed that it was not actually capable of decryption at all. This led researchers to believe that whoever launched the attack was more interested in wiping victims’ data and/or causing disruption to businesses and infrastructure than they were in financial gain.
Perhaps the most startling revelation of all, however, was the Ukrainian government’s rather offbeat sense of humour. As news of the attack was spreading on Twitter, its official account tweeted this…
This was the subject of much intrigue for UK and US users, who speculated that the people behind the account didn’t quite grasp the true meaning of the meme. Those more familiar with the country’s culture, however, assured us that it was indeed a quirky joke making light of difficult times. Maintaining Twitter composure during a nationwide attack is quite a feat.
So who was behind the NotPetya attack? Why did they want to target Ukraine specifically? Have we entered a new era of global cyber attacks? Will we see more malware disguised as other malware? Only time will tell, but until then, feel free to speculate in the comments…