New Ransomware is Much Worse Than First Thought

Megan Winiarski
Network Security
Image via Getty

Image via Getty

Tuesday’s massive outbreak of malware shut down computers around the world. It has been blamed as ransomware. Now, some researchers are drawing an even bleaker assessment – that the malware was a wiper with the objective of permanently destroying data.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.

In other words, researchers believe that this attack wasn’t ransomware at all. Instead, it was created to permanently wipe as many hard drives as possible on infected networks. Researchers also found that the post of ransom being asked online were actually a hoax in response to the WannaCry outbreak last month.

Researchers at antivirus provider Kaspersky Lab, in a blog post published Wednesday, labeled the previous day's malware a "wiper." They explained that for attackers to decrypt a paying victim's computer, they need a "personal infection ID" that's displayed in the ransom note. In the 2016 version of Petya, the ID contained crucial information for the key recovery. Tuesday's malware, by contrast, was generated using pseudorandom data that was unrelated to the corresponding key. Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov wrote:

If we compare this randomly generated data and the final installation ID shown in the first screen, they are the same. In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the ransom screen is just plain random data.

That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID.

What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.

Another researcher found that the overwriting of key files stored on infected hard drives was the goal of this malware, which does not seem to actually be ransomware.

The best way to describe the stages of ransomware is these:

  • Stage 0 “MBR Overwrite” – Overwrite the hard-drive’s Master Boot Record and implanting custom boot-loader.
  • Stage 1 “MFT Encryption” – Use the custom boot-loader introduced in Stage 0 to encrypt all Master-File-Table (MFT) records, which renders the file system completely unreadable.
  • Stage 2 “Ransom Demand” – Display the Petya logo and the ransom note detailing what must be done to decrypt the hard-drive.

Tuesday’s malware on the other hand, spent much more time in Stage 1 than ransomware, and it is unconfirmed if it gave a ransom demand or if that was a hoax.

Not Designed to Make Money

The analysis noted that the malware used a single Bitcoin address to receive ransom payments; a shortcoming that's not found in most professionally developed ransomware because it requires attackers to manually process large numbers of payments. Tuesday's malware also required victims to manually type a long string of human-unfriendly characters into an e-mail address, a hurdle professional ransomware developers avoid because it decreases the likelihood that victims will pay. Tuesday's malware also required victims to contact attackers through an e-mail account that was closed within hours of Tuesday's outbreak, killing any incentive for victims to pay.

In almost all other aspects, the malware was impressive. It used two exploits created by the NSA and when it combined them with a custom code that stole network credentials it totally overtook computers.

The theories are consistent with this post from Wired, which reports that Ukrainian government officials are saying Tuesday's attack was sponsored by a national government. The Ukrainian government has previously blamed Russia for attacks—one in December 2015 and another in December 2016—that both caused blackouts by hacking Ukrainian power facilities. A cover story Wired published last week lays out much of the evidence substantiating the claims of Russian involvement. Asked if Russia was behind Tuesday's attack, a government official told reporter Andy Greenberg: "It’s difficult to imagine anyone else would want to do this."

All signs are pointing towards a huge and devastating attack. As always, make sure you keep your computer protected and hopefully prevent this from happening to you.

(Story via Ars Technica)

Are Cyberattacks at Schools Being Overlooked?

Google Earth Enters the Classroom

Related Posts