The motive behind Tuesday's ransomware attack that sowed chaos in Ukraine and around the world has emerged as a key mystery, especially as some researchers begin to reclassify the campaign as a wiper attack.
While efforts to pinpoint attribution and motive are premature, there is already a contingent of experts who suspect that disruption, not money, was the true motivation for launching the attack. Others went further and suggested that Russia-sponsored hackers may have had a hand in the incident.
Noting a clear distinction between the malware from Tuesday's attack and the Petya ransomware it was originally identified as, researchers have assigned several new names to the malware, including NotPetya, ExPetr and NyetYa. (It has also previously been referred to as PetrWrap and GoldenEye – but for consistency purposes, SC Media will refer to it as NotPetya.) SecureWorks reported that while the extortion message displayed by the new malware is reminiscent of Petya, there is no overlap in code between the two.
Additionally, Kaspersky Lab has officially designated the malware as a wiper, noting that it is impossible for the attackers to decrypt victims' disks, even if they pay the ransom fee. "This reinforces the theory that the main goal of the... attack was not financially motivated, but destructive," Kaspersky noted in an updated blog post. Comae Technologies founder Matt Suiche independently arrived at the same conclusion, he reported via blog post.
In an email to SC Media, Malwarebytes estimated that, conservatively, "we are looking at a number at least in the tens of thousands of systems infected." Breaking these numbers down further, however, it's apparently that a significant percentage of infected systems reside in the Ukraine.
Symantec Corporation on Wednesday released a chart of the 20 countries with most organizations affected by Petya. Unsurprisingly, Ukraine was most significantly impacted, with close to 140 organizations infected. The U.S. was number two, with a little more than 40 companies infected. (However, that the U.S. ranked only 11th in terms of total share of worldwide infected machines, according to Kaspersky.) Russia, France and the U.K. had the next highest number of infected organizations.
It is now widely accepted that the attack most likely started when hackers allegedly compromised the update server of Ukrainian accounting software company MeDoc so that it would dispense NotPetya to unsuspecting victims. Indeed, Check Point Software Technologies has reported that in May the same company is suspected to was involved in the distribution of XData ransomware.
Of course, the ransomware's heavy toll on Ukrainian organizations is suspicious, considering that the former Soviet nation's power grid and other key assets have been the frequent target of Russian state-sponsored hackers. The attack also fell on Constitution Day, a national holiday for Ukraine. Naturally, this has led some to cast suspicions on the Kremlin as a possible culprit, even though some Russian companies were hit by NotPetya.
“The Ukraine continues to be in the cross hairs of persistent cyber attackers, said Edgard Capdevielle, CEO of Switzerland-based Nozomi Networks. "Whether you believe the Ukraine is a test-bed for nation state aggression... [or that this is] an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing."
Tom Kellermann, CEO of Strategic Cyber Ventures, was more blunt in his assessment: "The cyber siege of Ukraine hearkens the escalation of the conflict along the border with Russia. This cyber pulse is being directed by the Kremlin and is using cyber militias... to take down critical infrastructure. This should serve as a warning to NATO members that Putin is ready to take the gloves off.”
Kellermann's colleague Hank Thomas, COO of Strategic Cyber Ventures, added that the Russians "appear to be expanding their multi domain approach to their current campaign. Expect for there to be destructive attacks in the near future facilitated by cyber means."
A Wired report on Wednesday cited a number of Ukrainian officials who laid blame at Russia's feet, including Roman Boyarchuk, head of the Center for Cyber Protection within Ukraine's State Service for Special Communications and Information Protection. "This is definitely not criminal. It is more likely state-sponsored," said Boyarchuk, noting that it would be difficult to imagine any country other than Russia targeting Ukraine in this manner.
In the same report, Oleksii Yasinsky, forensic analyst at Kiev-based Information Systems Security Partners, stated that the ransomware's ability to wipe a hard drive's master boot record is a hallmark of the Russian APT group Sandworm, which is believed to have disrupted the Ukrainian power grid offline in December 2015 and January 2016.
Regardless of who the perpetrators actually are, experts are also skeptical that financial gain is the true motive behind the attack. Observers are already noticing that, much like with the WannaCry campaign, the attackers don't seem to be profiting much from their efforts.
For instance, Kevin Magee, global security strategist at Gigamon, reported that as of 7 p.m. ET on July 27, the attackers had received only 33 ransom payments totaling less than $8,600 in Bitcoin. "While the attackers might be excellent coders, it seems that they are lousy criminals," said Magee. "How is it that an attack this prolific and noisy with global impact, just can't seem to generate a significant profit? Which makes me wonder: What is the real motivation behind these attacks [and is there] a more nefarious and long-term purpose to them other than simply making money?"
In a blog post on Medium, Gavin O'Groman, an investigator on Symantec's Security Response team, offered two theories behind the attack: One, the culprit is a criminal who made a foolish mistake using a single bitcoin wallet, and single e-mail account that was quickly suspended, cutting off his means of communicating with victims. Or two, the attack was actually meant to cause disruption, and the ransomware element was merely a diversion.
"Launching an attack that would wipe victim hard drives would achieve the same effect [as NotPetya]; however, that would be an overtly aggressive action," said O'Groman. "Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: Are the attackers politically motivated, or criminally motivated?"
"Based on the current data, I'm inclined to believe the motive behind the Petya attacks may be the second option," O'Groman concluded.
Yonathan Klijnsma, threat researcher at RiskIQ, agreed that the payment component of the attack "doesn't seem like it was meant to function or scale well, meaning the actors involved may be more interested in mayhem and destruction than money." Klijnsma also observed that the specific types of files targeted and encrypted by NotPetya indicated that the attackers were zeroing in on business users, not individuals.
NotPetya: The Latest Analysis
In other developments, an updated blog post from Cisco Talo states reports of Petya spreading to some organizations via email – for example, using phishing campaigns – “cannot be confirmed.” What researchers have confirmed is that, outside of the malicious MeDoc update, the ransomware further propagated itself via wormable tools and components including the Microsoft Windows EternalBlue SMB exploit, the Windows Management Instrumentation Command-line (WMIC) interface and the telnet alternative PsExec, and a credentials stealing tool.
Kaspersky Lab issued a statement warning victims that there is "little hope for victims to recover their data" once NotPetya encrypts their hard disks, even if they were to pay the ransom. "To decrypt a victim's disk, threat actors need the installation ID. In previous versions of similar ransomware… this installation ID contained the information necessary for key recovery. [NotPetya] does not have that, which means that the threat actor could not extract the necessary information needed for decryption." NotPetya simulates a CHKDSK screen while it is secretly encrypting files, before ultimately revealing a ransom note that demands $300 in Bitcoin.
IntSights Cyber Intelligence in Israel also reported discovering some personal details that were used to register domains and IPs linked to NotPetya. This includes the emails and aliases "email@example.com", "firstname.lastname@example.org", "javad fooladdadi", and "antonio jose de maia santos". These details are linked to a previously discovered IoT botnet that infects GoAhead and other OEM cameras, as reported last April by Netlab.