Petya: Using blast radius to deduce attribution

As the global ransomware attack coined Petya continues to proliferate globally, identifying the culprits is an important piece of the puzzle. At this point, it's prudent to attempt to rule out who it doesn't appear to be through process of elimination.

While there was clear forensic evidence connecting the code used by the WannaCry actors to the Lazarus group from North Korea, it is way too early to determine who is behind Petya. One of the first things I consider regarding potential attribution is the blast radius of the victims.  Sometimes blast radius might not tell you who the culprits are, but in some cases, it can tell you who is it likely NOT.

In the case of Petya, I would rule out the usual suspects of the more professional ransomware gangs that work out of Eastern Europe and Russia.  The first organizations affected in this attack where in the backyards of where those actors base operations.  While there are many theories of potential connections between the Russian government and these criminal gangs, logic would tell you that it is not smart for these gangs to attack organizations in the legal jurisdiction for which they reside.  In the past, they have been very careful to not upset their hosts nations. 

A main difference between Petya and WannaCry, it appears Petya is kicked off with a phishing email for the actors to get an initial foothold where as WannaCry spread like an out of control worm.  Once Petya penetrates an enterprise network, it appears from early reporting to spread like WannaCry using the EternalBlue tool harvested from The Shadow Broker leak of nation-state tools.  This means the actors behind Petya were likely targeting Eastern Europe and Russia.  Not smart if your base of operations is in Eastern Europe and Russia.  So, I would look beyond any of the “usual suspects.” 

The big question remains, is this a new and improved version of WannaCry perpetrated by the same North Korea group?  Perhaps, the blast radius of this attack is very much like WannaCry.  However, I think it is too early to make the call until forensic samples are analyzed. There is another complexity to think about, even if a forensic link to North Korea is found.  A sophisticated actor who may have other motives to impact Eastern Europe and Russia could leave forensic breadcrumbs to implicate the North Korea actors.  Maybe a Middle Eastern actor who is not happy with Russian policy in Syria.  The approach of modifying the master boot record of the impacted systems to encrypt the victim's system does seem very Shamoon-like in nature, which were used to attack Saudi Aramco and RasGas to destroy the Master Boot Record and destroyed tens of thousands of harddrives.  These attacks were ultimately attributed to Middle Eastern actors. 

While it is way too early to speculate on who the culprit is for Petya, I think it is safe to rule out the usual Eastern European gangs.  We will still need another week or so for a clearer picture before we point the finger.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.