As details emerge about the ransomware behind this week’s global attack, NotPetya, one fact is becoming clear: ransomware is becoming more advanced, destructive and harder to kill—weaponized, if you will.
A report on June 30 by Forbes details just how nasty—and sophisticated—the attack was. Experts are saying it’s more of a “superweapon” designed to wreak havoc, spread fast and damage infected machines than a cash-grabbing tool.
An excerpt from the Forbes article:
"According to the respected researcher known as the grugq, this is definitely not designed to make money. This is designed to spread fast and cause damage." Comae Technologies' Matthew Suiche echoes that sentiment, saying NotPetya "does permanent and irreversible damage" to a computer's hard drive.
Security experts initially believed the malicious software was a somewhat standard ransomware version that borrowed heavily from the year-old Petya variant. But they now believe the similarity between the two is a feint by it’s creators.
There are several tells that experts believe indicate the attack was more of a “statement piece” as opposed to a means to make money. First, typical ransomware links a unique cryptocurrency wallet to each infected computer to facilitate the payment and decryption process. This version uses a single Bitcoin wallet across all infected machines. This makes it easier for responders to cut off payments to attackers, which possibly demonstrates that creators weren’t serious about getting rich.
Second, NotPetya doesn’t assign each affected computer a unique ID that allows attackers to track who has paid, whose data has been unlocked and so on. It merely generates a random string for each machine instead.
Third (and this is possibly the biggest tell), Creators displayed an email address on its “pay to get your data back” message, which victims were supposed to contact to receive their decryption key. This email address was shut down soon after the attack began to spread. Even novice malware designers would have seen this coming.
Together, these details might constitute evidence of laziness on the virus' creators’ behalf, but the vicious design, double encryption of each infected terminal’s data and so on, say otherwise. Rather, it’s likely those behind the attack merely weren’t interested in getting paid at all. They wanted to make a statement.
What statement? For that, look to the attack’s concentration in the Ukraine (about 60 percent of infected endpoints were within its national boundaries) and its timing. Hackers will often strike on or near holidays to reduce the odds of detection and ensure slow response time by security officers. NotPetya struck on the day before Constitution Day in Ukraine, a national holiday.
These facts considered, the attack may have been designed to hit businesses in the Ukraine the hardest, and some commentators are speculating that Russian hackers may have been behind the attack.
The motivations behind NotPetya are perhaps less important to affected entities than the damage it caused and the extreme difficulty researchers have had in preventing or reversing its damage. This attack could be a blueprint for increasingly advanced, destructive and malevolent malware variants to come.
Now more than ever, it’s critical that governments and businesses develop and deploy sound ransomware defense strategies.
Please consider joining the exerts at Vaultize on July 12 at 10 a.m. PST as they discuss malware defense strategies and how your organization can quickly build its defense.
Vaultize is an innovative data security company that allows customers to track and control their documents from creation to deletion on any device, anywhere. From CYA to compliance, Vaultize provides data protection without restricting use. Vaultize’s platform utilizes DRM and encryption to secure any and every file, protect those files no matter where they travel, and provide visibility into who is accessing them and how they are being used. The Vaultize platform is nearly transparent to users, scalable and flexible to deploy. For more information, visit www.vaultize.com.