Have you been hit? CyberDefenses can help.

Petya 2017: Are we looking at ransomware or cyber attack?

CyberDefenses - CDI Logo

By Monty St. John & Chris Rogers

The attack began small, but rapidly got everyone’s attention.  It didn’t take long in the first hours of Tuesday’s attack for it to become pretty clear that Ukraine was the epicenter of the strike.  In fact, more than half of the reports of new “Petya” malware were located in Ukraine, greatly exceeding anywhere else.  The list of targets wasn’t pretty — its central bank, the metro system, airports, government offices.  This was definitely a dim time for Ukraine.

For a malware whose outward appearance was ransomware and whose aim was to make money — Petya.2017 has some pretty odd quirks.  Ransomware typically focuses on a long list of files that you want so badly you’ll be willing to pay for them. With this malware you can easily see a difference in focus — targeting a short list of programing files, script files, office files, virtual machines and archives.  What you don’t see are the images, music and other files people consider valuable.  Petya.2017 does not contain ransomware’s typical predominance of common images, databases, and other super desirable files.  That’s an interesting point.

Speaking with the idea of money in mind, using an open-air email as your point of contact for victims versus onion address is unorthodox.  It’s a standard practice in ransomware to create a unique wallet for each infection, therefore making it easy to know which victim made what payment.  This “ransomware” completely broke with that practice — asking victims to send Bitcoin to a single wallet and then email [email protected] with a unique identifier to confirm payment and gain decryption keys.  The email provider owning the address shut down access within hours of media attention.  That’s a complete lack of survivability for the pay account.  No onion address.  No expectation to survive to get the money.  If they wanted to get the money they needed to keep lines of communication open. This behavior suggests that there was never an intention for this to be monetary in nature.

Besides using unusual APIs, another quirky deviation is “Petya” encrypts files with the above extensions but doesn’t add a new extension. This is pretty singular in that respect when compared to other ransomware.

MEDOC, the attack vector identified for the heavy concentration of attacks in Ukraine, issued a public apology for making the attack.  The webpage is down at the time of this post, but you can see a snap of the page to the right.  Microsoft, via a Technet article also verified MEDOC was a vector of attack in their write-up on the Petya worm.  They noted in the Delivery and Installation section of their write-up:

“Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense.”

As a normal tactic of delivery, ransomware predominately strikes via email spam, phishing, or drive-by download.  It’s unusual as a tactic of infection to compromise a software-services system — at least to deliver ransomware.  It comes down to return on investment (ROI).  The name of the game for ransomware is to make money and that has historically meant wide distribution.  Wannacry changed that model somewhat with its run-away success, but it was also an unusual ransomware. 

But looking at this it looked like a one-shot attack.  In fact, it had very little to no armor.   No obfuscation, no wrappers, no protection.  The malware was simple.  No C2.  No check-in activity.  No nothing.  Payload was complete.  It didn’t need anything from the “outside” to function.  It was one total, clean payload.

It has also been widely reported that this malware includes a kill switch.  Why include a kill switch?  A nation state would want to protect its own critical infrastructure from being infected to prevent collateral damage.  Of course, you would as well, if you want to deflect criticism and/or culpability – what better to use than the same company (Rosneft) that you sold off a controlling interest in to Qatar a few months ago?

Most ransomware targets files or the Master Boot Record (MBR), which is why people thought this was “Petya”, as it historically targeted the MBR.  Why target both?  It seems foolish to target both, unless you expect to recover the MBR and still not allow access to files or curtail the ability to perform forensic file recovery.  Destructive malware would cause an undue concern and people would look harder into it.  Why make the drive completely unrecoverable?  Even if you employ forensics – the data is encrypted with an unrecoverable key.

Looking at a typical destructive cyber campaign, they commonly are driven by a nation state, are bent on destroying drives and draw collective ire of the security Internet mind to solve the problem and figure out who is to blame.  As an act of cyber war, this is a very malicious and targeted action of aggression.  However, if it were labeled under cyber crime, aka ransomware, the collective would not be as harsh or eager to lay blame on nation state.  We’ve become numb to the onslaught of cyber crime day in and day out, as it has become the norm.  So therefore it would not merit the effort to try and trace it back to point of origin.  It’s less liable to create political fallout if this looks like cyber criminal activity.   

However, replace the word “ransomware” with “destructive disk wiping malware” and the narrative completely changes.  With this new description, the conversation shifts from “Ransomware starts in Ukraine and then spreads to the world” to “Destructive malware cripples Ukrainian military and civilian infrastructure and then spreads to the world”. 

If you contemplate the idea that ransomware is a ruse, a false flag flying to distract us from the true intention of the malware then the idea that it is nation state activity rises.  If you look to a nation that has employed false flags like this in the past, such as the Sofacy and Turla malware, then perhaps a state comes to mind.  If it isn’t too far fetched to consider, think about the Wannacry link to the North Korean Lazarus Group.   What if it wasn’t linked to them – but to someone else closer to Ukraine? 

What if Wannacry was the trial run or test to this act? 

There has been no other attack using these SMB exploits since Wannacry.  What if this – “Petya” – was a nation-state testing another cyber super weapon? 

If this is the case–the next one won’t be so easy to detect.

About the author

Monty St John

Monty St John has been in the security world for more than two decades. When he is not responding to incidents he teaches classes in Threat Intelligence, Incident Response and Digital Forensics. Monty is a frequent contributor to community and industry events, presenting at BSides D.C., BSides Austin, Charm, Derbycon and several others. He lives in Austin, Texas and is a security trainer for CyberDefenses, Inc. based out of Round Rock, Texas.

Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.