Petya May Not be the Ransomware Everyone Thought it Was

Petya May Not be the Ransomware Everyone Thought it Was

Is Petya a more destructive version of Wannacry? Is it even ransomware at all?

While it has already been established that Petya may have been preventable if patches were kept up to date, what is less clear, and what the cybersecurity community at-large is still trying to figure out, is what Petya, or as some have called it, NotPetya, actually is. Is it a more destructive version of Wannacry? Is it even ransomware at all?

The latter is something that information security researcher Grugq explored in analysis on Tuesday. He said that although the “not-really ransomware” is “camouflaged to look like the infamous Petya ransomware; it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)”

“Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’)

The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.’”

Matt Suiche, a Microsoft MVP and founder of Comae Technologies, said this latest “version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.”

Suiche goes into detail about why Petya isn’t ransomware, and its similarities with Petya 2016 on his blog. He said, “The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.” As of Wednesday, the new version of Petya/NotPetya raised only $10,000.

Though investigation into the attack is still very much ongoing, many believe that Ukraine was the intended target of the attack, and the other countries where it appeared were causalities. Indeed, most infections were detected in Eastern Europe; according to Symantec, as of Tuesday morning U.S. time, more than 60 percent of infections they saw were in Ukraine.

In some cases, according to WIRED, Petya infected victims by “hijacking the update mechanism of a piece of Ukrainian accounting software called MeDoc.” But Microsoft researchers said Tuesday “that a few active infections of the ransomware initially started from the legitimate MEDoc updater process.”

In a detailed post describing the attack, Microsoft said that Petya is especially destructive because of its lateral movement capabilities.

“It only takes a single infected machine to affect a network,” Microsoft said. “The ransomware spreading functionality is composed of multiple methods responsible for: stealing credentials or re-using existing active sessions; using file-shares to transfer the malicious file across machines on the same network; using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines.”

Microsoft reassured customers that it delivered updates to all Microsoft free anti-malware products automatically.

At least one IT pro is feeling the pain after his unnamed organization works to get its PCs up and running after falling prey to Petya. “We were pretty patched up against MS17-010, obviously mustn't have been 100%, but even then, if 1 single PC gets infected and the virus has access to Domain Admin credentials then you're done already,” he said.

Those admins who blame patching fatigue for not being up to date are probably losing a lot of sleep as they race to patch their networks before the next ransomware or not ransomware hits.  

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish