Friday, June 30th 2017

Petya/NotPetya: The Ransomware That Wasn't Actually Looking to Ransom Anything

You've heard of the Petya ransomware by now. The surge, which hit around 64 countries by June 27th, infected an estimated 12,500 computers in Ukraine alone, hitting several critical infrastructures in the country (just goes to show how vulnerable our connected systems are, really.) The number one hit country was indeed Ukraine, but the wave expanded to the Russian Federation, Poland, and eventually hit the USA (the joys of globalization, uh?) But now, some interesting details on the purported ransomware attack have come to light, which shed some mystery over the entire endeavor. Could it be that Petya (which is actually being referred to as NotPetya/SortaPetya/Petna as well, for your reference, since it mostly masquerades as that well-known ransomware) wasn't really a ransomware attack?
Let's get this clear: there was a ransomware edge to this attack, of that there is no doubt. Petya worked as most ransomwares do: encrypting a given computer's files and NTFS libraries, forcing devices to reboot, and then displaying ransom demands, with instructions detailing how to pay for the liberation of the encrypted files. However, the way in which this was done is unusual, to say the least. There are a number of ways to go about demanding ransoms; wallet addresses for cryptocurrency are the most common. What is strange in this whole affair is that the would-be perpetrators of the attack used a public email address (provided by Posteo) for their ransom demands. Naturally, Posteo closed down the e-mail account as soon as it became clear their service was being used for nefarious purposes (whether or not this was the best course of action is debatable.) But this closed the sole means of communication between the perpetrators and their victims, which now had no way to contact them towards obtaining the wallet address where they were supposed to send funds, nor receiving eventual decryption keys. Now I don't know about you, but a group capable of forking a variant of a GoldenEye ransomware and leading it to infect thousands of computers and critical infrastructure didn't consider this might happen? I don't buy it.

An information security researcher that goes by the pseudonymous "the grugq" had this to say regarding Petya/NotPetya:

"Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.) If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of "send a personal cheque to: Petya Payments, PO Box …"). The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of "ransomware."

So, basically coders competent enough for such a fork chose the worst possible payment channel available, despite numerous cases of actual ransomware "done right", if you'll allow me. Kaspersky labs went on with an update, where Anton Ivanov and Orkhan Mamedov confirmed that the attackers "cannot decrypt victims' disk, even if a payment was made." They go on saying that "This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware. (...)

Another analyst from Comae Technologies came to the same conclusion regarding the attack, saying that "Ransomware and hackers are becoming the scapegoats of nation state attackers. Petya is a wiper, not a ransomware."

The fact that this particular version of the Petya ransomware had its patient zero in the Me-doc software, which is one of only two approved accounting software in Ukraine and the most widely used in Ukrainian companies and government, means that "an attack launched from MeDoc would hit not only Ukraine's government but many foreign investors and companies." The Me-doc infection vector was later confirmed by the Ukrainian police's cyber-security department.
It seems this ransomware attack was nothing more than a wiper attack, disguised as ransomware, with the sole purpose of infecting as much of Ukraine's infrastructure and essential services as possible, while attempting infection of businesses connected with the country (which is likely why the infection spread through those at least 64 countries we mentioned at the beginning of this piece.)

It would appear a vaccine of sorts was in the meantime found towards thwarting this version of Petya, preventing it from running its installation algorithm on your computer (perhaps a fail-safe from the perpetrators so as to avoid their own machines from being infected with the malware?) Researchers from Serper advanced (and this was later confirmed by other independent security research agencies) that Petya looks for a particular file on systems, aborting its installation if it finds said file. To make yourself immune to the Petya installation, according to the researchers (and I have to put a little disclaimer here that other versions of the software could perfectly change the target lookup file), you should "create a file called perfc in the C:\Windows folder and make it read only. A batch file is available, created by Bleeping Computer's owner Lawrence Abrams. Sources: Tom's Hardware, "the grugq" Medium, On the Wire, Kaspersky Labs, Comae Security, Bleeping Computer
Add your own comment

31 Comments on Petya/NotPetya: The Ransomware That Wasn't Actually Looking to Ransom Anything

#1
Ubersonic
"Naturally, Posteo closed down the e-mail account as soon as it became clear their service was being used for nefarious purposes"

Lol, Posteo can look forward to some lawsuits from companies who now have no way to decrypt their files, idiots >.>
Posted on Reply
#2
RCoon
Basically some "Patriotic" Russians decided to employ a cyberattack on Ukraine infrastructure and then hit a few other random targets to scatter the intention. The fact that they don't care whether an infected user can pay a ransom or not speaks volumes as to the intent.

Overall nothing will be done and no concesquences enforced.
Posted on Reply
#3
R-T-B
Ubersonic
"Naturally, Posteo closed down the e-mail account as soon as it became clear their service was being used for nefarious purposes"

Lol, Posteo can look forward to some lawsuits from companies who now have no way to decrypt their files, idiots >.>
Those lawsuits would be dismissed almost immediately in any jurisdiction I can think of, as the only thing Posteo did was prevent the attacker from profiting from the crime. They did not encrypt OR wipe the files, or commit any crime by closing said email.
Posted on Reply
#4
rtwjunkie
PC Gaming Enthusiast
RCoon
The fact that they don't care whether an infected user can pay a ransom or not speaks volumes as to the intent.
Exactly. Not Ransomware, but terrorism. This was a deliberate attack disguised as Ransomware in order to deny access to files and systems.
Posted on Reply
#5
Cybrnook2002
"An information security researches" should read "An information security researcher"
Posted on Reply
#6
qubit
Overclocked quantum bit
rtwjunkie
Exactly. Not Ransomware, but terrorism. This was a deliberate attack disguised as Ransomware in order to deny access to files and systems.
Could it be isis maybe?
Posted on Reply
#7
rtwjunkie
PC Gaming Enthusiast
qubit
Could it be isis maybe?
My money is on Russians, since many there cannot wait to get their hands back on the entire Ukraine (not just the Crimea region).
Posted on Reply
#8
Raevenlord
News Editor
Cybrnook2002
"An information security researches" should read "An information security researcher"
Thanks, fixed =)
Posted on Reply
#9
OSdevr
NextPowerUp had an article yesterday that said only the first 25 sectors of your disk are overwritten by this. If so, then that's a pretty easy thing to fix without losing any of your files in the process.
Posted on Reply
#10
Solaris17
Dainty Moderator
This isn't Petya. Even all the sources which I'm sure you read stated this. Petya is an actual infection that has already happened. Please do not confuse the two. God sometimes security related news posts are cringy.

You can have some tech doc writeups here, deduce the differences etc.

https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

http://blog.checkpoint.com/2016/04/11/decrypting-the-petya-ransomware/

as they say security in education.
Posted on Reply
#11
Raevenlord
News Editor
Solaris17
This isn't Petya. Even all the sources which I'm sure you read stated this. Petya is an actual infection that has already happened. Please do not confuse the two. God sometimes security related news posts are cringy.

You can have some tech doc writeups here, deduce the differences etc.

https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

http://blog.checkpoint.com/2016/04/11/decrypting-the-petya-ransomware/

as they say security in education.
While it isn't Petya per se as the original, it's being called so (and some varieties) by Kaspersky (ExPetr/Petya/NotPetya). Also, the sources in the article (much more security focused than I am, admittedly) refer to it as such as well. So I decided to run the article with that name, which is much more recognizable, and which the sources do as well =)
Posted on Reply
#12
Solaris17
Dainty Moderator
Raevenlord
While it isn't Petya per se as the original, it's being called so (and some varieties) by Kaspersky (ExPetr/Petya/NotPetya). Also, the sources in the article (much more security focused than I am, admittedly) refer to it as such as well. So I decided to run the article with that name, which is much more recognizable, and which the sources do as well =)
Jesus journalism has gone in the shitter.

Education fixes this not settling. The bleeping computer article IIRC even states Kaspersky renamed it after finding out it wasnt related, leaving Petya in the name because people like this site were referencing it as such, but atleast THEY explain what it isn't.

Atleast people infected with actual Petya that might be able to save there systems will probably not reference sites like this for help.

It would be a shame to tell someone they have chickenpox when they have the plague.


I'm being a dick. No excuse, it may be a good idea to atleast include the other namesakes so that users may more easily differentiate from the original infection in 2016, as this is not necessarily the same infection.
Posted on Reply
#13
Raevenlord
News Editor
Solaris17
Jesus journalism has gone in the shitter.

Education fixes this not settling. The bleeping computer article IIRC even states Kaspersky renamed it after finding out it wasnt related, leaving Petya in the name because people like this site were referencing it as such, but atleast THEY explain what it isn't.

Atleast people infected with actual Petya that might be able to save there systems will probably not reference sites like this for help.

It would be a shame to tell someone they have chickenpox when they have the plague.


I'm being a dick. No excuse, it may be a good idea to atleast include the other namesakes so that users may more easily differentiate from the original infection in 2016, as this is not necessarily the same infection.
Aye, I applaud the effort of crossing out all of those things yet still leaving them there (Sarcasm/NotSarcasm) ;)

The Bleeping Computer article also refers to it as Petya, though with the other different names referenced as well. Perhaps that was the cause of dissent between us.

I've updated the title's article and included a reference in the main body text that it is being called other names as well, so as to better inform the readers. I believe that was what you were trying to achieve?

Can't disagree with your metaphor though (I do love me some accurate metaphors).

Edit:
"Could it be that Petya (which is actually being referred to as NotPetya/SortaPetya/Petna as well, for your reference, since it mostly masquerades as that well-known ransomware) wasn't really a ransomware attack?"

Perhaps this helps readers. So thanks for pointing out the article's weakness :)
Posted on Reply
#14
Solaris17
Dainty Moderator
Raevenlord
Aye, I applaud the effort of crossing out all of those things yet still leaving them there (Sarcasm/NotSarcasm)

The Bleeping Computer article also refers to it as Petya, though with the other different names referenced as well. Perhaps that was the cause of dissent between us.

I've updated the title's article and included a reference in the main body text that it is being called other names as well, so as to better inform the readers. I believe that was what you were trying to achieve?

Can't disagree with your metaphor though (I do love me some accurate metaphors).
I left it because I said it and I won’t pretend I didn’t but I was being very rash I don’t have an excuse it was unwarranted this site doesn’t focus on this stuff and that’s fine you alerted the masses in the best method at your disposal.

That said I only raised concern because this is what I do to pay bills. Petya as it was originally referenced was done because initial infections looked like it. However after disassembly it was found that only the dropper method was taken from petya the actual damage done (petya 2016 can be saved) and exploit methods were completely different. At that point they classed it as something different altogether but left petya because less experienced firms were already calling it such.

however I don’t like false hope and I just think it’s important to make the differentiation because people that have petya vs people that have notpetya are in very different boats
Posted on Reply
#15
Raevenlord
News Editor
Solaris17
I left it because I said it and I won’t pretend I didn’t but I was being very rash I don’t have an excuse it was unwarranted this site doesn’t focus on this stuff and that’s fine you alerted the masses in the best method at your disposal.

That said I only raised concern because this is what I do to pay bills. Petya as it was originally referenced was done because initial infections looked like it. However after disassembly it was found that only the dropper method was taken from petya the actual damage done (petya 2016 can be saved) and exploit methods were completely different. At that point they classed it as something different altogether but left petya because less experienced firms were already calling it such.

however I don’t like false hope and I just think it’s important to make the differentiation because people that have petya vs people that have notpetya are in very different boats
And I thank you, because this really isn't my area of expertise. But I could've been more explicit in how I conveyed the message, and that additional information only helps build the article.
Posted on Reply
#16
OSdevr
The internet needs more people like you Raevenlord and Solaris17.

IMHO NotPetya isn't the work of a state actor or a hacker group. It screams lone amateur to me. Heck I could probably write a better payload than this.
Posted on Reply
#17
silentbogo
There are few more things you can add to the article, to extend the available info and clarify some things:
1) Kaspersky lab published their findings on June 26th, while others like ESET, Avast, and Symantec were still arguing that this is indeed Petya. I would've totally missed the whole "virus" thing, if not for my pretty neighbor who couldn't access her online banking at 11:30PM the night before her birthday.
2)
Raevenlord
the Me-doc software, which is one of only two approved accounting software in Ukraine
One correction: it is effectively the only one since the nationwide ban on 1C accounting software complex, along with Kaspersky AV, Dr.Web and some other "evil russian software and web-services".
M.E.Doc is pretty much forced for all tax filings and non-cash transaction accounting in my country. There are few other alternatives, but they are just as bad, if not worse than M.E.Doc.
BTW, M.E.Doc website is down since yesterday.
3) Everyone still calls it Petya, because of ignorant news outlets and a simple habit. Even in official announcements and press-releases from the Security Service of Ukraine it is still called Petya.A (maybe they do it on purpose to piss of those russians from Kaspersky Lab).
4) Also in yesterday's recommendation/announcement Cybersecurity dpt. said, that the primary source of the attack were fishing e-mails with "loaded" MS Word/PDF documents.
Exploiting M.E.Doc vulnerability was only the second stage of the attack.

OSdevr
It screams lone amateur to me.
That was my impression since the start of the attack.
Posted on Reply
#18
Solaris17
Dainty Moderator
silentbogo
There are few more things you can add to the article, to extend the available info and clarify some things:
1) Kaspersky lab published their findings on June 26th, while others like ESET, Avast, and Symantec were still arguing that this is indeed Petya. I would've totally missed the whole "virus" thing, if not for my pretty neighbor who couldn't access her online banking at 11:30PM the night before her birthday.
2)
One correction: it is effectively the only one since the nationwide ban on 1C accounting software complex, along with Kaspersky AV, Dr.Web and some other "evil russian software and web-services".
M.E.Doc is pretty much forced for all tax filings and non-cash transaction accounting in my country. There are few other alternatives, but they are just as bad, if not worse than M.E.Doc.
BTW, M.E.Doc website is down since yesterday.
3) Everyone still calls it Petya, because of ignorant news outlets and a simple habit. Even in official announcements and press-releases from the Security Service of Ukraine it is still called Petya.A (maybe they do it on purpose to piss of those russians from Kaspersky Lab).
4) Also in yesterday's recommendation/announcement Cybersecurity dpt. said, that the primary source of the attack were fishing e-mails with "loaded" MS Word/PDF documents.
Exploiting M.E.Doc vulnerability was only the second stage of the attack.


That was my impression since the start of the attack.
It should also be noted that the hosting provider Posteo that hosts the email account linked to the attackers payment block chain has been blocked by the provider. Its now useless to try and pay to get anything decrypted because the emails cannot be received. Though it is said that unlike Petya NotPetya couldnt be "decrypted" anyway because the damage caused is permanent.


OSdevr
The internet needs more people like you Raevenlord and Solaris17.

IMHO NotPetya isn't the work of a state actor or a hacker group. It screams lone amateur to me. Heck I could probably write a better payload than this.
Was just super grouchy this AM. I can get a bit overly passionate about security. I've nothing aginst TPU its staff or @Raevenlord specifically. I am certainly not above knowing I'm being unreasonable or a bit of a dick. I'll always try to make amends if I catch myself doing it.
Posted on Reply
#19
cdawall
where the hell are my stars
OSdevr
IMHO NotPetya isn't the work of a state actor or a hacker group. It screams lone amateur to me. Heck I could probably write a better payload than this.
Unless the intent was to look like an amateur to avoid blame.
Posted on Reply
#20
OSdevr
cdawall
Unless the intent was to look like an amateur to avoid blame.
Considering the amount of press this has gotten and being mistaken for a Petya variant, they failed spectacularly if that were true.
Posted on Reply
#21
cdawall
where the hell are my stars
OSdevr
Considering the amount of press this has gotten and being mistaken for a Petya variant, they failed spectacularly if that were true.
Very true...
Posted on Reply
#22
Steevo
Any word from the email provider of an IP that registered the email address? Not that you couldn't hide behind a VPN but even a source routed IP of a known VPN could give some clues.
Posted on Reply
#23
MrGenius
NATO says a 'state actor' was behind the massive ransomware attack and could trigger military response
Researchers have said that it's possible the attack came from Russia, and perhaps within the Russian state. Clues include the timing – the attack came the same day as the assassination of a senior Ukrainian military intelligence officer and a day before a national holiday celebrating the new Ukrainian constitution signed after the breakup of the Soviet Union.

"Everything being said so far does point to Russia being a leading candidate for a suspect in this attack," said Robert M. Lee, CEO of Dragos Inc. an expert who has studied the attacks on Ukraine's power grid.
http://www.independent.co.uk/life-style/gadgets-and-tech/news/petya-cyber-attack-world-global-destruction-money-ransomware-ukraine-chernobyl-wpp-merck-wannacry-a7816036.html
Posted on Reply
#24
Solaris17
Dainty Moderator
Steevo
Any word from the email provider of an IP that registered the email address? Not that you couldn't hide behind a VPN but even a source routed IP of a known VPN could give some clues.
I am sure they are looking into it, but no ones reported on it yet :(
Posted on Reply
#25
GRaFkiyv
If you do not rush to update M.E.Doc and do not use the OUTLOOK mail service, Petya is likely to pass by.
Posted on Reply
Add your own comment