Petya picks up where WannaCry left off.
A new disruptive campaign of uncertain origin, originally but probably inaccurately characterized as ransomware, hit targets in Europe and elsewhere Tuesday. Ukraine was particularly affected, with banks (including ATMs), many government offices, and electrical utility networks (including those engaged in monitoring radiation levels at the former power plant in Chernobyl) suffering heavily. The Russian oil firm Rosneft also reports being affected (and has archly expressed the hope that the attack isn't connected to ongoing legal disputes with its domestic rival, oligarch-run Sistema). Beginning almost immediately, the infestation spread to many other countries. Early cases were reported by the Danish shipping concern A.P. Moller-Maersk (interrupting operations at many ports Maersk runs around the world), pharmaceutical company Merck (this in the US), Deutsche Post (its operations in Ukraine), British advertising agency WPP, a Cadbury chocolate factory in Tasmania, medical centers in the US, and port facilities in Los Angeles and Mumbai, to name a few of the more prominent infections (The CyberWire). The effect has been worldwide, and the attack is regarded as more serious than WannaCry (Stuttgarter Nachrichten).
Group-IB believes the attacks on Ukraine and Rosneft were simultaneous and coordinated (Reuters). Kaspersky and Flashpoint were early in saying they'd observed signs of the Petya (a.k.a. Petrwrap, a.k.a. Goldeneye, a.k.a. NotPetr, a.k.a. ExPetr, a.k.a. Nyetya) strain of ransomware in the attacks. Petya, formerly used in targeted attacks spread by phishing with malicious Word files, has been altered to gain wormlike functionality and incorporate the EternalBlue exploit the ShadowBrokers leaked on April 14th of this year. Noting this evolution, some analysts have called the ransomware "NotPetya" or "Goldeneye," but these names all refer to the same attack. It seems not, contrary to early reports and general expectation, to have used email as its principal vector. Instead it established itself in its first targets through a compromised update delivered to Ukrainian users of MeDoc tax accounting software (Tanium).
Many have compared Petya to WannaCry. They both look like ransomware, they're both worms, and they both take advantage of EternalBlue. They're also both indiscriminate. But this version of Petya is in many ways better crafted and more destructive than WannaCry. Petya attacks master boot records, which makes it more dangerous, and Petya also doesn't show the sort of stumblebum fumbling with Bitcoin wallets so much in evidence with WannaCry. And of course and unfortunately, this version of Petya didn't come with a readily accessible kill switch. A researcher has developed what's being called a "vaccine" or a "localized kill switch" that could be installed to protect individual machines, but that's a different matter (ABC News). Some ISACs took prompt and effective action (The CyberWire), and there are various measures enterprises can take on their own to protect themselves (The CyberWire).
If one accepts this Petya variant's self-presentation as ransomware, its rapid spread would be due either to the inherent difficulties of containing malware (especially true of worms), or to deliberate misdirection, or to simple willingness to take such targets of opportunity as present themselves. Many have noted that the attack coincided with Ukraine's observance of Constitution Day on June 28th. While the putative ransom note's text appeared in English, Ukrainian authorities blame Russian hackers and call the attack misdirection for malware installation (Reuters). The attack, says Ukraine's SBU security service, was committed by the same actors who hit the power grid around Kiev last December, and those actors, says the SBU, were Russian espionage services (Fortune). Russia denies complicity, of course. Russian officials say they were victims too, and Kremlin mouthpiece Dmitri Peskov has called for international cooperation against cybercrime (Reuters). Whether one sees infestations at Rosneft and a few other Russian sites as exculpatory evidence or as provocation and misdirection will depend on how historically informed one's interpretations of official Russian motives are.
The researcher known as the grugq has a clear analysis of what's up in Medium; he calls the relationship to Petya "skin-deep," and sees misdirection, not extortion. There's another interesting development: F-Secure says it's found signs EternalBlue was incorporated into Petya/Nyetya/NotPetya six months ago. That's before the ShadowBrokers dumped the exploit, which suggests the authors are either close to the Brokers (perhaps as suppliers) or had independent access to the exploit (Computing).
But it doesn't appear to be true ransomware at all (Independent). Instead, it seems to be, effectively, a wiper. The growing probability that the attack is destructive lends some credibility to those who see this as espionage or hybrid warfare as opposed to crime. We've followed most coverage in calling the attack "ransomware," but it's unlikely the victims could recover their files even if they paid the ransom. Most researchers by week's end were calling it a wiper that repurposed some Petya code (SecureList).
So the campaign was probably intended to be destructive and disruptive from the outset, with the code simply masquerading as ransomware. Cisco's calling it "Nyetya"—Russian wisecrack duly noted (Economic Times). At least one security firm CEO, KnowBe4's Stu Sjouwerman calls it "open cyber warfare" and specifically blames Russia's GRU military intelligence service (which you may know as Fancy Bear) (BusinessWire). NATO, without formal attribution and certainly without invoking Article 5, has announced it will increase its cooperation with Ukraine and provide assistance in defense against cyberattacks (Ukrinform). States or crooks, the glum consensus is that we'll see more mass attacks of this general kind in the near future (PCR).
Financial losses put down to the pandemic are of course so far unknown, but speculation rates them as likely to be high (Chicago Tribune). Ransomware and wiper attacks have been costly (This is Money). One wild card will be litigation: some observers are thinking about how long a patch has been available for the exploits used in this campaign (roughly a quarter, which is a long time by security standards, even granting the greater difficulty of patching some specialized industrial control systems). They're led to speculate that there's a prima facie case of negligence on the part of companies who failed to apply Microsoft's patches (Bloomberg). India's government said this weekend that it's negotiated a deal with Redmond to enable Indian users to upgrade to Windows 10 at a discount, for security reasons (Indian Express).
The campaign's exploitation of EternalBlue, which the ShadowBrokers leaked along with claims it was a stolen NSA exploit (Business Insider), has brought harsh scrutiny of NSA's ability to secure its cyber tools. How did the ShadowBrokers get the code in the first place? (New York Times)