Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/29/2017
07:23 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Decrypting the Motivations Behind NotPetya/ExPetr/GoldenEye

Experts discuss the methods and targets involved in this week's massive malware outbreak to figure out what motivated attackers.

This week's massive ransomware outbreak has left security experts grappling to understand the "who" and "why" behind the attack, which mostly affected organizations in Ukraine and also reached businesses in an estimated 60 countries.

The malware at work is going by several names. Many researchers, noting similarities with the Petya malware, have simply declared this malware Petya. Others call it NotPetya. Some call it GoldenEye, which is a variant of Petya. Kaspersky Lab found similarities with a Petya modification called PetrWrap, and has dubbed it ExPetr.

Experts are piecing together the many updates and findings about this malware to figure out what happened.

"It's really, really hard right now to identify motivation," says Adam Kujawa, head of malware intelligence at Malwarebytes. "A lot of the security industry is struggling to figure out what's going on and why it's happening."

However, a few findings could help determine the motivation behind this attack:

Ukraine was a target

All of its many nicknames refer to the same malware, which has been largely wreaking havoc through MeDoc, an accounting software primarily used in Ukraine. Analysis indicates MeDoc's update server was compromised and as a result, any machine running the software would be hit with malware during an automatic update. From there, it rapidly spreads to other machines.

MeDoc is required software in Ukraine, an interesting and critical point in discussing the attacker's motivations. Some reports state the country's computer infrastructure was likely the primary target.

Travis Farral, director of security strategy at Anomali, says it's interesting that this malware only spreads within an organization and not outside it. It could cripple organizations in Ukraine; in most cases, the outside companies affected either did business in Ukraine or worked with third parties that did business there.

"One could make the argument that they wanted to limit it to Ukrainian institutions because they had no mechanism to go beyond this targeting," he explains. "Anyone running the software is at risk."

This was never about money

"It doesn't appear financial gain was the intent," Kujawa says. "A lot of analysis has come to light saying it wouldn't be possible to decrypt the files anyway."

The malware overwrites the Master Boot Record (MBR) and encrypts individual files matching a list of file extensions. It requests $300 in Bitcoin to decrypt the system but despite an estimated $3,000 in payments, there has been no record of victims successfully decrypting their files.

While the malware is technically based on ransomware, Kujawa describes it as "wearing a ransomware costume." He suggests the actor intentionally made decryption impossible as a means of disrupting operations and harming users wherever it hit.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Farral says it's interesting that the actors put significant engineering effort into making the malware spread throughout the victim business but did not put a lot of effort into being able to collect ransom. Even WannaCry had multiple Bitcoin wallets, he notes.

"A piece of ransomware like that should be focused on gathering money for its operators," says Bitdefender senior security analyst Bogdan Botezatu. Here, he says, this was not the case.

"This was not a technique used for moneymaking," he says. "This is a technique used for destroying data and disrupting businesses."

Critical infrastructure was a target

Kaspersky analysis indicates more than 50% of businesses targeted by this malware are industrial companies. Threats like this are especially dangerous for critical infrastructure because they can potentially affect the victim's automation and control systems.

Botezatu also says the first entities to get infected were critical infrastructure networks like airports, gas and utility companies, public transportation, and banks. "We realized there were more businesses affected than regular consumers," he explains.

It could be a hacktivist ... or a nation-state

"This doesn't have the same signs as state-sponsored malware, at least from the bigger countries we've seen in cybercrime,"  says Kujawa, noting that nation-state threats are typically more secretive.

This could lend credibility to the idea that this was conducted by a hacktivist or black hat organization trying to bring awareness to the insecurities of the modern Internet. It's a loud attack, one that makes it seem like someone is trying to garner attention.

However, Farral says, this lack of complexity could also indicate a nation-state trying to cover its tracks.

"This hit Ukraine very broadly," he notes. "If you want to disguise you're a nation-state and did that, you could make it look like another WannaCry-type ransomware that's designed to spread using the same mechanisms. In that way there's plausible deniability -- this isn't a nation-state, it's just a hacker trying to make money."

Ido Wulkan, intelligence team lead at IntSights, says this threat actor has done damage before.

"What we know for sure is this threat actor has been around for at least two months and has been involved in previous campaigns," he says, recalling similarities between this incident and a campaign for infecting IoT botnets for DDoS attacks two months ago.

While Wulkan suggests this threat is more sophisticated, state-sponsored threats are typically more advanced. However, if the goal was sabotage, there is no need for using undiscovered malware. Even some state actors are reusing tools or using common tools to cover their tracks.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.