An echo of opening shots
Ransomware or cyberweapon? There is some argument over the nature of the recent NotPetya outbreakPrint
3 August 2017 | 0
Early on 27 June, I began to see reports of a ransomware attack affecting a variety of businesses across Eastern Europe and into both the Middle East and back towards the west. Pictures emerged of supermarkets with increasingly agitated lines of customers staring at till screens on EPoS devices that all bore the same chilling information and demand.
Soon, news began to come through from other sources of industries being hit, such as the shipping giant Maersk, and the pharmaceutical company Merck. It was confirmed by Forbes that the Merck hit included its Irish operations.
“NotPetya: This is weapon-grade attack that is in the hands of ideologists, state actors or others” Or is it?
The demand was simple, the NotPetya malware demanded $300 (€264) worth of Bitcoin to be sent to a specified address in return for a decryption key for files that had been encrypted.
However, as infosec pros around the world began to tackle the outbreak, it soon became apparent that this was not the usual form for a ransomware attack.
By early on the morning of 28 June, infosec pros were already starting to call NotPetya a cyberweapon and not malware or ransomware.
Stu Sjouwerman, infosec pro and CEO of the KnowBe4 security company, wrote in a blog that the destructive elements of NotPetya, as well as the low demand and poorly implemented cash-out facilities pointed towards this not being a monetarily-driven effort, but rather some kind of political or ideological effort.
Sjouwerman cited personal experience through the years, as well as emerging reports from Kaspersky Labs and Comae Technologies, all pointing toward this conclusion.
Closer to home, Paul C Dwyer, CEO, Cyber Risk International, speaking on the Newstalk Breakfast radio show on 28 June, concurred with the inference.
This is not about money, this is far more than that, said Dwyer. This is about political posturing.
Dywer observed that while the modus operandi of NotPetya was similar to the WannaCry outbreak, in common too was that it wasn’t about cashing out or getting the money.
That would infer that something delivered with such military precision and sophistication, that fails on actually collecting the money, is not criminally driven, Dwyer argued.
This is a weapons-grade attack that is in the hands of ideologists, state actors or others, he said.
Sjouwerman agrees, saying:
“There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen:
- It never bothers to generate a valid infection ID
- The Master File Table gets overwritten and is not recoverable
- The author of the original Petya also made it clear NotPetya was not his work”
Sjouwerman also cites Catalin Cimpanu, security news editor of the Bleepingcomputer information security web site, who stated:
“The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware.”
So, while many began to examine the argument for cyberweapon as opposed to malware, and look for the likely culprits of such an effort, others looked a bit more pragmatically at the issue and came to a different conclusion.
Another infosec pro, Robert Graham (Twitter handle: @ErrataRob), on the Errata Security blog argued that past examples of malware have shown characteristics similar to NotPetya without being politically or ideologically motivated. Graham argues that a combined set of circumstances could well have seen NotPetya propagate in certain ways that resulted in the observed patterns, and results while still being monetarily motivated.
“Many well-regarded experts claim that the not-Petya ransomware wasn’t ‘ransomware’ at all, but a ‘wiper’ whose goal was to destroy files, without any intent at letting victims recover their files. I want to point out that there is no real evidence of this.”
“Some have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn’t true,” Graham argues.
“While it’s more sophisticated than WannaCry, it’s about average for the current state-of-the-art for ransomware in general. What people think of, such [as] the Petya base, or using PsExec to spread throughout a Windows domain, is already at least a year old.”
Graham says the haphazard nature of the cash-out implementation does not necessarily add up to a spoof to appear like ransomware when, in actual fact, it is a cyberweapon.
For now, the jury is still out.
However, I think we can draw some conclusions anyway.
First of all, there can be little doubt that both WannaCry and NotPetya represent new directions for the kind of cyber-incidents we are likely to see over the next 12-24 months.
For a start, few could have predicted that NotPetya would follow WannaCry so soon. Coupled with this is the fact that so much sophisticated base material, from the Shadow Brokers haul to the developed remnants of Stuxnet and Flame (SkyWiper), is now in the wild, or at least in the hands of the less than altruistic, and the scene is set for dark developments. Always looking for an easy opportunity, the black hats will re-use, recycle and develop based on their own specific needs, which will not always be apparent, or easily understood.
The BlackEnergy trojan is one such chilling example of where these developments can go, and how they may be used.
I made a prediction early last year, that we may yet see the emergence, due to the development of malware as a service, of the half-baked hacker.
I quote: “Many forensic examinations and investigations by security professionals are now turning up cases where attackers have clearly not understood what they were doing and used tools that may have either been poorly designed, or worse still, mere trojans for the makers’ intent, not the buyers’.”
“Victims then find themselves in the unenviable position of having to clean up a mess where no one is really sure what happened. This is often to the backdrop of a public outcry, or shareholder discontent, and possibly even data protection office investigation.”
Without the knowledge or experience, personally, to make a definitive pronouncement on the nature of NotPetya, I think that its unleashing, coupled with that of WannaCry, is certainly supporting the argument that hackers are launching attacks that may start out as targeted and sophisticated, but that can and do escape their narrow confines and wreak unintended consequences on the wider world.
What will see next, as various political rows, vested interest groups and the purely criminally-motivated make their next moves in what is now global free for all fuelled by fall out from state actors, intelligence agencies and sales to the highest bidder?
It is a chilling thought indeed, and one that Sjouwerman, perhaps best characterises, as he talks directly to the international information security professional community:
“You did not sign up for this, but today it is abundantly clear that as an IT pro you are have just found yourself on the front line of 21-st century cyber war”
This is the unenviable position that has led Microsoft president Brad Smith to call for a digital version of the Geneva Convention. But that is another story, and one that I have explored in a bit of detail.