The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared.
The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday.
There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible.
If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable.
Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money.
In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim.
First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs.
As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is not possible for the attackers to identify the victims that pay up.
Successful ransomware campaigns use a different Bitcoin address for each victim, yet only one Bitcoin account was used by the attackers. The email address used by the attacker was hosted by Posteo. The German firm quickly shut down that account, meaning it was not possible to check who had paid. That would be a serious oversight by the attackers, who surely must have suspected that would occur.
NotPetya ransomware also does not encrypt files. Like Petya, it replaces and encrypts the Master File Table (MFT). However, NotPetya ransomware corrupts the MFT, wiping out the first 24 sector blocks. Petya ransomware did not do that, instead modifications were made that could be reversed. As a result, NotPetya causes permanent damage ensuring recovery is not possible.
These factors suggest that Petya was modified and turned into a wiper to cause permanent damage rather than make money. That would suggest this was a state-sponsored attack designed attack to cause major disruption. Due to the extent to which Ukraine was attacked, that country appears to be the main target. As for who was responsible for the attack… that has yet to be established. However, many people in Ukraine have strong suspicions.