The knowns about NotPetya ransomware outbreak, which spread around the globe last week, have grown but many unknowns remain. Chief among them are why it was released when it was, which seems to be way too early.
“What’s really bothering me is the obvious lack of testing that went into NotPetya,” F-Secure Labs’ Andy Patel told me.
Here is an update on the Petya situation with the caveat that there is still much to be discovered about this strange case.
Are we still calling it Petya?
NotPetya seems to be what that industry has settled upon. In F-Secure Labs posts, you’ll see some version of “EternalPetya.”
Is it ransomware or a wiper?
It seems to be “malfunctioning malware,” which is a good name for your new band.
” Malfunctioning malware isn’t rare,” Andy wrote.
“…(Eternal) Petya is not a wiper,” Sean Sullivan, F-Secure Security Advisor, wrote. “A wiper is something such as Shamoon. (Eternal) Petya is almost fully functional ransomware, and the question is: what more is it? If this is a prototype, what is it moving towards?”
UPDATE: After further analysis, F-Secure Labs found “that the user-mode file encryption-decryption mechanism would be functional, provided a victim could obtain the correct key from the malware’s author.”
How does it work?
Here’s a sketch of the Labs’ best take on how the latest version functions:
Does that really say “DOES STUPID SHIT”?
It does because that’s what it does.
“Plenty of other evidence points towards this piece of software being developed in a hurry, and not thoroughly tested,” Andy wrote. “For instance, a machine can re-infect itself and encrypt files twice.”
So it’s just bad malware?
“It’s full of bugs,” Andy told me. “And design flaws. And what seems like placeholders for unimplemented functionality.”
There are some sophisticated aspects to the code, which confused the initial analysis. But — in general — this is terrible malware and terrible malware is open to a lot of interpretations.
Did it mean to be something else? Is it a test? Are some hackers just trying to look cool? Or were they just doing it for a one-time cash grab?
“All of the above is a possibility,” Andy said. “Could be a test. Could have been done in a hurry. Could be that the authors don’t care.”
Why would someone release not-quite functional ransomware?
The developers could just have had a “tight deadline” sped up by the release of WannaCry in May, which utilized the same vulnerabilities and prompted a wave of updating and new updates for Windows XP that were previously only available to certain customers.
“Putting together a proper build process for software isn’t easy,” Andy wrote. “Tracking changes in different modules, making sure your final package contains the right things, and testing it thoroughly enough to catch discrepancies, or wrong versions is also time-consuming.”
The motto at Facebook used to be “Done is better than perfect.” That’s how much of the web works, even when you’re a legal corporation. Of course, this doesn’t even appear to be done, which is is what happens when you ship too soon.
“But you wouldn’t just test in-the-clear, you need some plausible deniability – and crypto-ransomware is very good deniability. If you want a tool that is effectively acts like a wiper, delay remediation – or simply don’t respond. And if your goal is something otherwise, your tool is reversible without having to (publicly) admit guilt.”
“And of course, remember, it could just be ransomware in-development,” he added.
But doesn’t it mean something that it seems to target Ukraine?
Maybe, but that doesn’t make it special.
“Ukraine suffers cyber attacks from different groups on a fairly regular basis,” Andy said.
So could a nation-state be behind this?
“We don’t think any current attribution is rock solid (attribution never really is),” Andy wrote. “We feel this is definitely worth deeper investigation. And more pizza.”
UPDATE: “I’m not allergic to the idea that this is nation state anymore,” Sean told BBC Future. “There are compelling details to continue analyzing this as a nation state attack. I don’t think this theory is garbage.”
Who might be behind it?
Look at this:
See that spike?
Our honey pots around the globe monitor web traffic. This is from right around the time of the NotPetya event.
“Looking at our intelligence network data, we were checking one by one countries of origin,” Leszek Tasiemski VP, F-Secure’s Rapid Detection Center. “When looking at Russia, we noticed there was a significant peak in SMB (and only SMB) traffic from that direction. To go deeper, 95% of that peak could be traced to Moscow and one IP (usually, we see traffic from all over the country) and the target sites were mostly Turkey, Sweden, Ukraine, Hungary and Germany – in that order.”
SMB contains the vulnerabilities that both WannaCry and (Eternal) Petya.
Does this mean Russia is behind this?
It could mean a Russian group is behind it. But attribution is hard.
And the line between nation-states and criminal gangs has all but disappeared in some nations.
How much does this have to do with the exploits the NSA hoarded that were leaked by the hacking group Shadowbrokers earlier this year?
It’s part of the story but not nearly as much a part of the story as it was for WannaCry.
Does F-Secure protect me against EternalPetya or NotPetya and Petya?
All of the above. F-Secure endpoint products prevent all examples of Petya and NotPetya.
So what should we do?
Use this as a reminder to make “Best Practices” your “Standard Operating Procedures.”
The news about NotPetya is evolving but the ways to prevent it haven’t changed:
“Run Microsoft Updates, remove any software you aren’t using, get a password manager, update your passwords… There things you can do to protect you against multiple types of malware,” Sean told us earlier this week. “Get the basics right.”
Here are some more things your company can do to beat Petya.