Euro SecurityEuro Security InternationalMiddle East Security
Banner
In this issue

Banner
 
(titel, termin, news)

Looking for a supplier? Please enter the supplier name below:




Petya outbreak: What’s the motive behind this major cyber attack? Print E-mail
Wednesday, 28 June 2017 19:15

The Petya ransomware attack that kicked off yesterday (June 27) was clearly inspired by the WannaCry attack, which received so much attention last month. The motives behind WannaCry are still unclear, however, it was not an effective approach to making money for its authors.

There are similar oddities around the Petya attack, which so far has not been very profitable. Two theories might account for the actions of the Petya attackers, but first let’s look at some of the facts as we know them.

The Petya ransomware was spread, at least in part, through updates to a Ukrainian tax accounting software. According to Symantec telemetry, the majority of victims of Petya are Ukrainian organizations. This makes the date the attack began (June 27) interesting as June 28 is Ukraine’s Constitution Day, a national holiday.

Once on a computer, the ransomware attempts to encrypt a set of files that have specific extensions. The attacker then demands payment of $300 worth of Bitcoin, which they request be transferred to a single wallet. In the ransom note, the victim is told to send notification of payment to a single e-mail address.

The ransom note that appears on victim’s machines

Once on a computer, the malware attempts to spread to all machines on the network, using a combination of stolen credentials and the Eternal Blue exploit. It also attempts to connect to any computers that the infected computer has recently interacted with. However, unlike WannaCry, it does not attempt to connect to random IP addresses across the internet.

From our investigations, I believe there are two likely theories to explain the actions of the Petya attackers.

Sometimes the obvious answer is the right one…

The first theory is based on Occam’s Razor. Or to put it more plainly, if it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck. The person or persons behind the attack were technically capable and were attempting to compromise a choice group of financial targets that may be more likely to pay a ransom, as they would need to regain access to important financial records.

The attacker may not be a particularly smart criminal, however, as using a single bitcoin wallet, and a single e-mail account for contact, was not the best way to get payment. The e-mail account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims. The Bitcoin wallet is still active, however, any money transferred from this wallet is likely to be closely monitored by law enforcement. The attacker may have a difficult time making use of the ransom payments.

…sometimes it isn’t

The second theory is that there may be a more nefarious motive behind the attack, that is, disruption. Such attacks have occurred in Ukraine previously, most notably the KillDisk attacks. Similar to Killdisk, perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action. Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: “Are the attackers politically motivated, or criminally motivated?”

Based on the current data, I’m inclined to believe the motive behind the Petya attacks may be the second option. Non-Ukrainian organizations were affected, however, this may have been unintentional. There was no attempt to spread across the internet by attacking random IP addresses.

This attack was an ineffective way to make money, but a very effective way to disrupt victims, and sow confusion.

 


User Rating:   / 0
PoorBest 
 
 




Banner
Banner

     
   
Subscribe to our newsletter to receive the latest news/updates: