Analysts think Petya ransomware was built for targeted destruction, not profit

The description of the Petya infections hitting computers worldwide as ransomware may be a misnomer, security analysts suggest. The malicious softwares code and other evidence indicate that the profit motive may have been a camouflage for an act of cyber-espionage targeting Ukraine.

Ransomware fundamentally works on the idea that if you pay the attacker, you get your data back. If the attacker doesnt fulfill their side of the bargain, word gets out and no one else pays the ransom. Ultimately its in everyones interest to have the con work as advertised.

So what do you make of ransomware that makes it impossible to retrieve the data?

Well, that isnt ransomware. And if it isnt ransomware, the motive wasnt to make money. If the motive wasnt to make money, what was it? Well, considering Petya appears to have had its origin on Ukrainian networks, it wouldnt be a stretch to speculate that the point was to damage those networks.

Thats the idea advanced by several experts as more facts about the software come to light. Comaes Matt Suiche and others compared the code in this weeks Petya attack with a similar attack from last year. 2017 Petya appears to have been modified specifically to make the encoding of user data irreversible by overwriting the master boot record. The attackers email address also appears to have been taken offline, preventing ransoms from being paid.

(Update: MalwareTech, the researchers who accidentally halted WannaCry, point out that the MBR may not in fact be overwritten. As I originally concluded, expect more updates as more analysis occurs.)

Brian Krebs cites Nicholas Weaver at Berkeleys International Computer Science Institute, who calls Petya a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware. Wired cites Information Security Systems Partners in Kiev, who suggest that the attackers were already present in the Ukrainian systems for some months, and may even have been covering their tracks with the infection.

Since the progress of the malware cant be predicted with any real accuracy (unless its course is hard-coded into the command and control server, which would be evident), it would be impractical to, say, release it in France with the object of infecting Germany. On the other hand, releasing it at the target location, then trusting the collateral damage and superficial similarities to WannaCry to act as a smokescreen is a pretty good plan.

All this analysis is necessarily based on incomplete information, however, so its difficult to draw any hard conclusions. But from what weve seen, the narrative of a WannaCry-type global ransom plan seems like an inaccurate one.

Read more: https://techcrunch.com/2017/06/28/analysts-think-petya-ransomware-was-built-for-targeted-destruction-not-profit/

What do you think?

0 points
Upvote Downvote

Total votes: 0

Upvotes: 0

Upvotes percentage: 0.000000%

Downvotes: 0

Downvotes percentage: 0.000000%