As a money-making exercise – the sole motivation behind most ransomware – Petya was a flop.
The bitcoin address that appeared on the locked screens of computers across the Ukraine, Russia, Western Europe and at a number of businesses in Australia this week, as of this morning had received only 3.99 Bitcoins, around $13,500.
Not long after organisations began reporting the ransomware, the email address to which those affected were prompted to send their Bitcoin wallet ID and ‘personal installation key’ had been shut down by the provider Posteo. This removed any possibility a decryption key would be received, and so any incentive to pay the ransom.
Having unleashed a weapon powerful enough to shut down global businesses and governments, those behind the ransomware raised enough money for a second hand saloon car.
The meagre amount – combined with evidence that decryption of victims’ disks was never possible to begin with – are now leading infosec experts to conclude that perhaps money was not the motive. The 'ransomware', they believe, was a cover for something far more sinister.
On Tuesday morning Vice Prime Minister of Ukraine Pavlo Rozenko tweeted that the country’s Secretariat of the Cabinet of Ministers’ computer systems were down.
Та-дам! Секретаріат КМУ по ходу теж "обвалили". Мережа лежить. pic.twitter.com/B74jMsT0qs— Rozenko Pavlo (@RozenkoPavlo) June 27, 2017
Reports emerged that Ukrainian banks, Kiev's Borispol airport and the country’s energy firms Kyivenergo and Ukrenergo, had also fallen victim to the ransomware, known as Petya, ExPetr, Petrwrap, GoldenEye and NotPetya.
Petya’s ability to self-propagate saw it spread to the US, most of Europe, China and Australia. But it is almost impossible to control the spread of malware once unleashed – Ukraine was undoubtedly ground zero.
The initial infection vector for Petya, according to Symantec, is MEDoc, a tax and accounting software package widely used in Ukraine.
Kaspersky analysis indicates 60 per cent of the total infections occurred in the country, with little over 30 per cent affecting nearby Russia. Symantec research indicates nearly 140 Ukrainian organisations were affected, more than any other country.
These indicators, Symantec said, show “organisations in that country were the primary target”.
But a target for raising money? There are doubts.
Wipe your eyes
A breakdown of Petya’s workings by Kaspersky and Comae show those behind it were never able to decrypt encrypted information. Nor did they want to.
Kaspersky’s Anton Ivanov last night put it this way: “…the main goal of the ExPetr attack was not financially motivated, but destructive”.
While an earlier version of Petya from last year modified the disk in a way where it can actually revert its changes, “2017 Petya does permanent and irreversible damages to the disk”, wrote Comae’s Matt Suiche in a blogpost yesterday.
“Petya clearly got rewritten to be a wiper and not an actual ransomware,” he said.
While ransomware encrypts files to be decrypted once a ransom is paid, wipers work differently.
“The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money,” Suiche wrote. “Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the Master Boot Record like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”
The ransomware ruse was simply a way for those behind the attack to “control the media narrative” according to Comae, “to attract the attention on some mysterious hacker group rather than a national state attacker”.
Tracing the individuals behind any cyberattack is difficult, as is proving the backing of a nation state. Nevertheless, if destruction in Ukraine was the primary motivation, it has been well-timed. Today is the country’s Constitution Day, a public holiday to mark the country’s independence from Soviet Russia.
The damage suffered in Australia could just be the collateral damage of a battle on the other side of the world.
Affected businesses were yesterday urged to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300 CYBER1) for more information.