Cyber security firms reported on Wednesday that the ExPetr/NotPetya global ransomware attack was, in fact, a data wiper malware campaign. Researchers also traced the origins of the threat to vulnerabilities in MEDoc, a Ukrainian tax accounting software used by companies worldwide.
Matthieu Suiche of Comae Technologies was particularly incisive about the true nature of the attack claiming the software is part of a “nation-state attack” targeting global economies and Ukraine in particular.
Kaspersky Labs and Microsoft’s Malware Protection Center both noted in recent analyses the fact that this was indeed not the behavior of a ransomware scheme, and that it could even signal worse campaigns with similar characteristics to come in the future.
ExPetr/NotPetya infected data cannot be recovered
ExPetr, NotPetya, Nyetya, Petya.2017, and even GoldenEye are some of the names different cyber security firms, and tech outlets are giving to the recently discovered data wiper outbreak that started Tuesday morning. Regardless of what you call it, it seems that its endgame is to cause chaos and not make money.
Researchers have reached the same conclusion upon closer inspection of the malware. As noted by early reports, it shares some strings of code with Petya, and it is a heavily modified threat that also borrows some of its schemes from EternalBlue and EternalRomance.
After infiltrating and obtaining credentials used to spread laterally and vertically throughout corporate networks, the custom data wiper targets the first 25 sector blocks of the systems’ disks, rendering following sectors unsalvageable and doing “permanent and irreversible damages to the disk” according to Comae.
Damage and chaos are the objectives, not money
Experts have been able to trace the ground zero of the NotPetya worm to a security flaw in the tax accounting software MEDoc and its update platform. Hackers were able to use this exploit and spread the malware to all the companies using the Ukrainian program.
Considering Ukraine has only two approved accounting software packages, it becomes evident why 80% of the national economy was hit by ExPetr. The fact that companies who make business in Ukraine also have to use it for tax accounting purposes explains some of the unlikely targets who have surfaced globally.
Many specialists have said that the apparent ransomware attack, in fact, brought new levels of trickery to the tables, as it disguised itself as a different cyber threat only to come out as something much, much worse.
Whereas Petya and past ransomware schemes provided victims with a way to recover their files, NotPetya is in no way designed to do such a thing. The supposed key shown as installation ID on the infected screen is just bogus data, making all efforts to recover anything virtually useless.
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj
— Ukraine / Україна (@Ukraine) June 27, 2017
What’s more, researchers have said that a clue hint that this was never about the money was the fact that the whole ordeal involved people manually making transactions and providing data to hackers. These exchanges are usually way simpler, yet stable and structured to keep the revenue stream active.
As reported yesterday by several news sources, the email account linked to the hackers’ Bitcoin wallet was taken down within hours of the first incidents, leaving targets without a channel to try to recover their data.
Although we now know it would’ve been pointless, the perpetrator still made with a couple of thousand dollars in Bitcoin before that part of the operation was shut down. Besides, some theories further suggest the attack might have been politically motivated, after seeing such a strong push in Ukraine.
Comae Technologies implies that recent hacking attacks targeting Ukraine’s national infrastructure and physical attacks threatening the life security of government officials suggest NotPetya is just the latest “nation state” initiative against the country in an ongoing wave of terror.
Investigations are still underway to track down the cyber criminals responsible for the attack. Firms forecast that the MO of the attack and its effectiveness in fulfilling its objective make for a real troublesome scenario in months to come.