Notpetya was designed to inflict damage, not to extort money

What we know so far

This article is a summary of what analysts now say about this week’s Notpetya ‘ransomware’ attack. I put ransomware in quotes because top analysts have concluded that Notpetya was a “deliberate, malicious attack disguised as ransomware.”

Notpetya is ‘wiper malware,’ not ransomware

On Tuesday, June 27, 2017, the Notpetya malware attack caused disruption for companies in 64 countries, affecting at least 2,000 individuals and organizations worldwide. It originated in Ukraine, many now believe from an automated update to MEDoc, a popular tax-filing software.

This is highly concerning because we’re always told to update our software to PREVENT such attacks. Now, it’s clear that it’s possible for hackers to hijack the update process to insert malware. This puts much greater pressure on vendors to carefully review their update security process to prevent being an attack vector.

There are four primary reasons most analysts now believe this malicious attack was engineered to irreversibly damage IT systems—and not for financial gain.

  • Ukraine was hit hardest with 60% of all infections taking place in that country. (Germany was the second most likely target with a comparatively low 9%). Also, Information Security Systems Partners in Kiev, believe the attackers were already present in their country’s systems for several months.
  • There was an ‘original Petya,’ an earlier form of ransomware, not widely disseminated, that allowed decryption of files when a ransom was received. By contrast, Notpetya payment required that a victim confirmation email be sent to a single address at German email provider, Posteo, which was quickly shut down. If the Notpetya malware designers were serious about extorting money they would have made their payment process as easy and foolproof as was the case with WannaCry.
  • In sharp contrast to the payment infrastructure, Notpetya malware’s contagion techniques were sophisticated and complex, designed to ensure maximum damage to the networks infected. This further confirms that the overriding intent of the perpetrators was to do permanent, irreversible damage to hard drives affected.
  • Russia has launched cyberattacks against Ukraine before. After all, they are still are war in the eastern region of that country. Many believe that Russian wiper malware designers were willing to experience some collateral damage to hit their primary target. So, some Russian companies were also infected by NotPetya, most notably the Rosneft oil company and steel maker Evraz—though no reported serious damage was done to either.

And if this was the plan, it worked. Large numbers of Ukrainian businesses were infected in the Notpetya contagion, including automated radiation monitoring systems in Chernobyl. Ukraine government offices and energy companies were also hit.

We may never know with complete certainty whether Russia was behind this attack. It’s less likely, however, that it was launched by another nation state, e.g., North Korea, or from a single, highly skilled hacker.

Also, highly concerning–Copenhagen-based shipping giant Maersk was one of the largest corporations infected with this wiper malware, throwing their operations into turmoil for hours before restoration backups could be completed. They have warned that future, more global attacks could seriously disrupt the global transport supply chain.

One software update you need asap

Microsoft recently released an important Windows 10 operating system update. If your automatic updates haven’t kicked in yet, then manually download the new 1703 version to increase your level of protection against Notpetya and other recent malware.

More Insights