Monday03 October 2022

What was uncle Petya really doing?

Reading time is around minutes.

For the last couple of days the world has been buzzing with news about the Petya malware. When the news of the outbreak broke on Tuesday morning, it was all about a new ransomware that was spreading around the globe. References to WannaCry were made and fingers pointed to the use of the same NSA exploit as the attack vector. However, Petya was not really like WannaCry in that there was no “kill-switch”. Wednesday morning the big players in the anti-malware and security markets had sent out their “what you should know emails” and a low-grade form of panic hit many enterprises.

Oddly, the target of the attack was not global. The majority of the affected systems are right in the Ukraine with roughly 60%. The rest of the world appears to be collateral damage. Now let’s add some other unusual facts to Petya and we see a much more sinister purpose. Most ransomware has a simple payment system that is hard to take offline. After all, criminals want to get paid so there is no reason not to build something that is difficult for law enforcement to disable. With Petya there are a single email address for payment. This means that it could be (and was) shut down very quickly.

Next up is the decryption method. From the beginning, even when it looked like ransomware, there were some doubts that the encrypted files and drives could be recovered. This has proven to be true and there are now entire organizations that are offline due to the impact of Petya. To make things even worse many disk-based backups could be affected by this malware if not properly protected/configured. We saw a number of storage products that used SMB for their target file transfer mechanism and are built on Windows Storage server at their core. Many of these organizations have turned out to be key services in the Ukraine and some were the first infections reported.

The normal path for typical ransomware would hit high return targets that would need their data and be able to pay for it. This did not appear to be the case with the initial targets. What we saw instead was someone attempting to hit services and infrastructure in the Ukraine and the rest was collateral damage. The label of Ransomware was intentional, but there was no intent to ever decrypt the files and it is very likely that the malware was not built to allow for decryption at all. It was designed to spread quickly through an organization and wreak havok. Exactly who did this is going to be a source of speculation and it would be very hard to track this back to any one group or nation. With the current rhetoric, Russia has already been thrown out there as a likely candidate. Most of the evidence (read almost all) pointing to Russia is circumstantial at best and speculative at worst. What we do know is that this was a sophisticated attack that escalated quickly. It also highlights the fact that even in the face of an actual threat companies do not patch their systems.

We will be watching how the attribution plays out with interest, and we are certain a fair amount of amusement.

Oh, if you have not done it already... turn off SMB and CIFS then patch your f*(king systems.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.