What were the reasons behind the latest Petya/ NotPetya/ GoldenEye ransomware outbreak? Considering the circumstances surrounding this week’s malware catastrophe, security researchers have been struggling to understand why the campaign happened in the first place. Who was behind it? The Petya / GoldenEye attack mostly compromised organizations in Ukraine, but other countries were hit as well. Enterprises in approximately 60 countries were affected. Further analysis also indicates that the attack pretended to be ransomware in order to hide its true purpose.
Malware Pretending to Be Ransomware Has Many Names – Petya / NotPetya / GoldenEye / PetrWrap / ExPetr
The very first thing to mention here is that researchers have given this conditionally called ransomware a variety of names. It is indeed quite confusing. Some researchers who immediately saw the similarities with the previously known Petya ransomware simply said this was Petya once again. However, other researchers call it NotPetya, or GoldenEye, a variant of Petya.
As we already wrote, Petya/ GoldenEye has been reported to target primarily Ukraine, but the malware quickly spread all over the world. The ransomware encrypts all of the files on a hard drive and the MBR of the drive itself, making it virtually impossible for you to restore your files even if you pay the ransom.
Decryption Impossible Even by Ransomware Authors
Researchers at Kaspersky discovered that the encryption of this ransomware is designed so that even if a payment is made, the malware authors cannot decrypt the hard drive, even if they wanted to. The same researchers found other similarities with a Petya variant known as PetrWrap, which was attacking organizations in March. They dubbed the ransomware ExPetr, explaining that:
The first publications in mass media stated that new malware was connected to well-known malicious programs WannaCry and Petya. However, according to Kaspersky Lab research this is new malware with some slight similarities to PetrWrap (Petya modification), but most likely having no connection with it. We call it “ExPetr”, to emphasize that this is not PetrWrap.
Whatever its name is, we all agree on one thing – the ransomware has once again succeeded in creating a stressful mess on a global level. That’s why researchers have started to glue together the various pieces of information and data with the purpose to outline what happened, and more importantly – why.
The Motivation Behind the Petya / NotPetya / GoldenEye Attacks
Some researchers say that it has been extremely difficult to identify the motivation and the reason for this malicious campaign. Nonetheless, there are several factors that can help the investigation.
The very first thing to notice is that Ukraine was one of the primary targets in the outbreak. In Ukraine the many-faced ransomware was spreading through MeDoc, accounting software which is popular in the country. Security researchers revealed that attackers seemed to have breached the company’s computer systems and were able to target a software update was pushed to customers on June 22. This single event may have led to the outbreak.
On the other hand, Reuters has pointed out the following:
The primary target of a crippling computer virus that spread from Ukraine across the world this week is highly likely to have been that country’s computer infrastructure, a top Ukrainian police official told Reuters on Thursday.
An increasing number of researchers believe that the main purpose of the attack was to install new malware on governmental and enterprise machines in Ukraine. The purpose of the whole campaign may not have been extorting the targets but planting the seeds for future attacks.
It is clear that financial gain wasn’t the intent of the attack. Moreover, the malware is designed to overwrite the Master Boot Record (MBR) and encrypt individual files matching a list of file extensions. The amount of the ransom, $300 in Bitcoin, is also not sufficient enough, and what is worse, paying it won’t get the victims’ files back. What researchers say is that Petya / GoldenEye / NotPetya pretends to be ransomware but is in fact something else. It’s also believed that the threat actors behind it made the decryption impossible deliberately.
Collecting Ransom Payments Not the Primary Purpose of the Attacks
It’s intriguing that the attackers spent a lot of engineering into developing and spreading the ransomware but did nearly nothing to make victims pay the ransom. If it was truly a piece of ransomware, collecting ransom payments should have been the primary purpose of the whole operation.
Kaspersky analysis also recently revealed that more than 50% of the businesses attacked by the many-faced ransomware are industrial companies.
Moreover, the first organizations which were attacked belonged to critical infrastructure such as airports, gas companies, public transportation, etc.
The fact that home users were not attacked at such a scale at the expense of organizations speaks volumes about the threat actors’ agenda.
Most researchers believe that the attack was either carried out by a hacktivist seeking to bring awareness to the vulnerabilities we are surrounded by, or nation-state hackers looking to cover their tracks. The most convincing and convenient way to make the world believe it’s another WannaCry outbreak is by making it look like one.