The new cyberattack malware dubbed NotPetya or ExPetr is believed to have been unleashed via a software update for accounting software M.E.Doc, which is widely used by companies in Ukraine.
Various cyber security firms including Cisco Talos, Kaspersky Lab and ESET, as well as the Ukrainian Police, say yet unidentified cyberhackers apparently compromised the M.E.Doc update servers.
Kaspersky Lab has another piece of bad news to the victims, which number in the thousands in the Ukraine, Russia, UK, Denmark, Spain, France and the US, including Danish shipping company Maersk, Russian oil firm Rosneft, UK media agency WPP, and several banks in the Ukraine as well as the Ukrainian agency responsible for monitoring radiation levels at the Chernobyl nuclear plant.
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have [concluded] that the threat actor cannot decrypt victims’ disk, even if a payment was made,” Kaspersky said in a statement.
“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”
In short, affected companies will not be able to regain access to their hard drives even if they pay the US$300 in Bitcoin that the attackers demand for a decryption key. Unlike the WannaCry ransomware in May, which encrypts files, the NotPetya malware locks up a device’s Master File Table, denying access to the entire hard drive.
Russia attacks Ukraine?
The discovery has raised suspicions that NotPetya is not true ransomware. “This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” says Kaspersky.
Tom Kellermann, CEO and Partner at investment firm Strategic Cyber Ventures, suggested to BBC News that the fact that Ukraine was targeted could indicate that “some cyber criminal group that sometimes act as a cyber militia for Russia” is behind Not Petya.
“The fact that so much infrastructure in Ukraine was targeted through accounting software that was leveraged specifically to that environment, specific to that language, specific to file-sharing that would allow it to traverse infrastructure as a whole leads me to believe that this was far more than just a criminal conspiracy to create money,” he said.
Why were companies in Russia also felled? “Once you set a forest fire, you never know what it’s going to burn,” Kellermann said.
Patch your Windows
So far, NotPetya has not reached the level of 230,000 infected computers in 150 countries that WannaCry had notched before it was stopped when a researcher registered a garbled domain name hidden in that malware. That act inadvertently activated a kill switch in the WannaCry software.
This time around, researchers could not find a kill switch in NotPetya, causing concerns that the spread of the new malware would be harder to halt.
Fortunately, it exploits the same vulnerability in Windows software for which Microsoft had offered fixes after the WannaCry attack. Still, the fact that units of big companies like Maersk still fell victim suggests that not everyone had applied the patches.
Security experts once again urgently advise companies to update their Windows systems with the patches and to stay vigilant as cyber criminals launch new variants of WannaCry and entirely different malware.
“Many companies haven’t deployed those patches and also they haven’t deployed next-gen defenses . . . and technology that can actually stop ransomware before it affects your system,” says Kellermann.
WannaCry and NotPetya are both based on EternalBlue, a malware whose code was leaked to the Internet by hacking group TheShadowBrokers, which claimed it came from the armory of the US National Security Agency.
Kellermann worries that “more and more non-state actors” motivated by political ideology “can now arm up and leverage their attacks,” as TheShadowBrokers and other groups sell them malware stolen from the arsenal of government agencies.