Is the "NotPetya" ransomware a Russian cyberattack in disguise?
As Tuesday's ransomware attack continues to spread around the world, several security analysts are saying that this virus may not be ransomware after all. New reports are claiming the virus has been designed to permanently delete a system's Master Boot Record before a victim even gets the chance to read the ransom demand. This points to the virus potentially using the guise of ransomware as cover for a more destructive and politically-orientated cyberattack.
Early reports hypothesizing the source of the infection as coming from some Ukranian accounting software called MeDoc have now been confidently verified by Microsoft. The company's security blog says, "Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process."
As well as the genesis of the infection now being confirmed, several different sources are claiming the the malware does not function like regular ransomware, but instead acts like a wiper virus with a singular intent of destroying data on an infected system.
Matt Suiche from Comae Technologies discovered code in the virus that specifically acts to wipe part of an infected computer's boot system. He notes that this particular part of the virus is different from the version of Petya that went around in 2016 functioning as traditional ransomware.
"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," Suiche writes.
The allegations that this virus was a cyberattack disguised as ransomware certainly fit with the strangely inept and complicated ransom method outlined by the virus. The odd tactic of using a single Bitcoin wallet and asking victims to email a specific email address is not only unconventional for a ransomware attack, but also fundamentally ineffective. As the email address attached to the ransomware demand was quickly inactivated by the company owning the domain, it seemed to suggest that money was not the primary motive of this attack.
Security researcher "the grugq" posted a compelling investigatory blog looking at how the initial infection vector spread across Ukraine. He points out that while the virus did have significant collateral effects across neighboring countries, Russia in particular seemed to be managing the damage unexpectedly well. Although Russian state-owned company Rosneft, and the Russian oil sector, were reportedly hit by the virus, no major interruptions to their systems were noted.
"Curious that they were so poorly protected they got infected," 'the grugq' writes, "especially since they aren't connected to MeDoc (the initial infection vector) however they were so well protected they were able to remediate the infection (which didn't spread… although it can take out 5000 computers in less than 10 minutes.) It's a miracle!"
The tactic of wiping an infected computer's Master Boot Record in the way this virus does has been noted by Wired as a calling card of a group of cyberattackers known in the industry as Sandworm. These attackers have been striking Ukraine for several years now and one security firm has linked the group to Russia.
Many of these mysteries may never be resolved, as the shady world of cyberwarfare is notoriously tricky to pin down. What is reasonably clear at this point is that this recent outbreak definitely started in Ukraine and was intended to be destructive. The collateral damage the rest of the world has seen may be a taste of how the future of cyberwarfare could play out.