The dust finally begins to settle on the NotPetya ransomware campaign that spread across the globe on June 27th. NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – was known as “a less widespread attack” than WannaCry according to Microsoft. However, the cyber outbreak still caused absolute mayhem as it first struck in the Ukraine, then proceeded to spread across the globe affecting 12,500 systems across 65 countries.
These countries included Belgium, Brazil, Denmark, Germany, Russia and the United States. The majority of the systems infected ran the Windows 7 operating system. Experts concluded that the financial software firm MeDoc was the first victim and became a watering hole source for the spread of the attack.
And Ukraine was hit hard. According to Kaspersky Labs, it’s estimated that 60% of the infected systems were located in Ukraine. Mainly the other countries and business affected by the ransomware campaign primarily had some type of international corporations doing business in Ukraine. The source of the outbreak originated in a tax software called M.E.Doc. This software was used to spread a poisonous update that caused the mayhem. The system was accessed through stolen credentials of an administrator at M.E.Doc, and from there the criminals were able to log into the server, grant root privileges and modify the configuration file for the NGINX web server.
Now weeks later, we look back at the bizarre story of NotPetya.
And it is a bizarre story. As new information emerged and evolved the questions began to grow. The motives of the attack were unclear, and simple mistakes made by the criminals left experts scratching their heads in disbelief.
#NotPetya is a good example of Analysis of Competing Hypotheses becoming more difficult overtime with new information.
— Robert M. Lee (@RobertMLee) July 6, 2017
Why were they doing this? This still remains uncertain. This is why the attack still remains a bizarre episode today:
- The NotPetya attacks began on June 27th. This is the day before Constitution Day in Ukraine. The attack was likely an attempt to disrupt operations in the country and to make a statement. It was designed to spread fast and cause damage quickly. It was a very limited attack.
- As stories were pieced together, researchers found that the NotPetya code was altered to lock data, not allowing an easy decryption key that is often expected of ransomware attempts. The key was then conveniently thrown away. The motives were to destroy, not bargain for an unlock key.
- Money didn’t seem to be the main priority. Typically, ransomware links of each infected computer have a unique cryptocurrency wallet, automating the decryption and payment process. NotPetya didn’t do this. Instead, it linked to one Bitcoin wallet.
- The author of the original Petya scam publically said that it wasn’t his own work.
— JANUS (@JanusSecretary) June 28, 2017
- Lastly, infected computers usually display an email address which victims can contact to receive a decryption key. The email was displayed, but not discreetly. The email server quickly sourced the email account and shut it down. Was it stupidity, or did the NotPetya criminals simply not care about receiving payment?
There we have it. It’s the bizarre workings of NotPetya that we’re still contemplating and looking for a realistic solution. NotPetya soon came to be classified as a wiper ransomware attack (as Kaspersky Lab puts it) that the only obvious motive was to cause destruction and establish possible malicious control over important systems. This leaves us to ponder the question: Was NotPetya actually not a ransomware attack, but rather a cyberweapon? We will leave this question to be answered by the experts.