News

Researchers: 'Wiper' Malware at Root of Petya Attacks

• By Kurt Mackie
• June 30, 2017

Security researchers investigating the recent "Petya" ransomware outbreak have identified its cause to be "wiper" malware that was possibly unleashed by a state actor.

That assessment comes from Juan Andres Guerrero-Saade of Kaspersky Lab and Microsoft Most Valuable Professional Matt Suiche of Comae Technologies, who presented their findings in a Web presentation Thursday.

A wiper is different from ransomware in that the intent is to destroy the data on the disk. It's not typically used to extract money from victims because ransomware attackers typically want to maintain a certain level of trust with their victims that the data can be decrypted, the researchers argued.

Their analysis focused on the key that gets presented on screen to the victim. It's randomly generated, unlike the key in a Readme.txt file dropped by the malware, meaning that there is no way for the perpetrators to decrypt the victim's files, even if the victim pays the $300 Bitcoin ransom. Suiche said that "the delta" between the "installation" key from the Readme.txt and the boot screen showed there was no intent from the attacker to provide decryption keys.

The Petya variant encrypts files (AES128) up to the first megabyte. It replaces the Master Boot Record and displays a fake identifier or "installation" key, the researchers said.

Suiche compared the modified Petya ransomware in this attack with the Petya ransomware used in 2016. The earlier version of the malware had correctly generated a key that could decrypt data. However, the method of generating the key in this instance of the Petya malware appears to contain "a logic bug," he said.

The two researchers questioned the notion that the perpetrators were just incompetent or "script kiddies," even though they made some fundamental ransomware mistakes, such as using a single e-mail address for their victims to use, which got shut down in hours' time, and using a single Bitcoin wallet. The attackers had used a mimikatz variant to steal administrator credentials, so they weren't unsophisticated, Suiche argued.

At this point, no viable solution has been found to decrypt the encrypted files. Paying a ransom won't work, since there's no workable decryption key and the mailbox for communication with the attackers has been shut down. For those who did pay, Bitcoin won't refund their money, the researchers explained.

The researchers suggested that state actors may be involved because of the concentration of attacks in the Ukraine, noting that Microsoft confirmed that the MEDoc tax accounting software was used as part of the initial infection. The use of MEDoc as a vector also was confirmed by Cisco and Kaspersky Lab. Guerrero-Saade said that upwards of 60 percent of the distribution happened in the Ukraine, and it was seen concentrated next in Russia. He added that a "watering hole attack" had occurred at a Ukrainian news agency site, but it had served up 30-KB variant of the malware with no spreading capabilities.

Guerrero-Saade said the malware's spread using the MEDoc software is an important detail to note because there's been "mistaken reporting" about this exploit spreading through Word documents and that people shouldn't opened attached files. He said that he didn't think that was the case. The main vector was the watering hole, he added.

Microsoft, when asked Thursday about this technical analysis that the Petya variant was a disguised wiper, indicated via e-mail that it had "nothing to share on the matter."

Suiche provided his technical analysis in this Comae Technologies post, where he stated that the Petya variant as ransomware was just "a lure for the media." Kaspersky Lab provided its technical analysis here, calling the Petya variant a "wiper pretending to be ransomware."

Microsoft did release patches for the SMB 1 exploit used by the attackers, namely MS17-010 in March and KB4012598 on May 14 (for older Windows systems), addressing EternalBlue and EternalRomance attack flaws. However, generally speaking, this attack opened up questions about how Active Directory is used in organizations. In particular, segmentation should be up for broad discussion in the security space to limit the spread of stolen credentials, Guerrero-Saade explained.

Enterprises shouldn't be blamed for not having patches up to date because of the complexity of patching, Guerrero-Saade said. In this case, one vulnerable machine was enough to spread the malware across a domain. He advised having backup capabilities in place to address both ransomware and wipers, and these backup systems shouldn't be connected to a network's machines. If they do get connected to infected machines, they also will be wiped, he said.

Guerrero-Saade recommended blocking incoming traffic to TCP Port 445 if that's possible. Organizations should use a modern anti-malware solution with strong heuristics in order to understand what the malware is doing to machines. He added that Kaspersky Lab offers a free anti-ransomware tool for use by organizations.