Petya: Is it ransomware or cyberwarfare?

It turns out Petya is a cyber weapon being used to carry out cyberwarfare activities

Petya: Is it ransomware or cyberwarfare?
U.S. Army illustration

The Petya ransomware attack was announced as headline news in major media outlets globally earlier this week.

At first blush, infected organizations were asking themselves, "Should we or shouldn't we?" Pay the ransom, that is.

Not long after the Petya outbreak, Cybersecurity Ventures posted a poll on Twitter asking people if they should pay a ransom if they got hit by the new ransomware.

Within hours, more than 800 people cast their votes: 9 percent voted "Pay, We've got Bitcoin," while 90 percent voted "No, Don't Pay the Hackers."

The criminals behind the cyber attack apparently made around $10,000 (USD, at the current price) in Bitcoin within hours after Petya was launched. But not long after, various cybersecurity experts revealed that Petya wasn't typical ransomware.

"The [Petya] ransomware that spread in the past two days required people to pay in order to receive a code that they then had to email to the crooks in order to get their data back," says Joseph Steinberg, a cybersecurity columnist at Inc..

"Shutting down the crook’s email account may have terminated the crook's ability to perpetuate the scam, but it also meant that some people and organizations may have lost their data with no way to recover it," he adds.

As Steinberg pointed out, the email account belonging to the Petya author(s) was shut down. That probably accounts for the disproportionately high percentage of "Don't Pay the Ransom" voters.

Is Petya a cyber weapon?

Another expert, Stu Sjouwerman, CEO at KnowBe4, a security awareness training company, suggests that Petya is not ransomware, rather it's a cyberweapon being used to carry out cyberwarfare activities.

Sjouwerman wrote the following (excerpt) in a blog post, "[ALERT] NotPetya Is a Cyber Weapon, Not Ransomware," that was just posted. I've included it here with his permission:

Yesterday morning, after monitoring this new outbreak (Petya) for 24 hours, I came to the conclusion we were dealing with cyberwarfare, and not ransomware.

Two separate reports coming from Comae Technologies and Kaspersky Lab experts confirm this now.

NotPetya is a destructive disk wiper similar to Shamoon, which has been targeting Saudi Arabia in the recent past.

Note that Shamoon actually deleted files. NotPetya goes about it slightly differently. It does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same.

Someone is hijacking known ransomware families and using them to attack Ukrainian computer systems. Guess who.

You never had a chance to recover your files. There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen:

  1. It never bothers to generate a valid infection ID.
  2. The Master File Table gets overwritten and is not recoverable.
  3. The author of the original Petya also made it clear NotPetya was not his work.

This has actually happened earlier. Foreshadowing the NotPetya attack, the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.

Catalin Cimpanu, the Security News Editor for Bleepingcomputer stated: "The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber weapon and not just some overly-aggressive ransomware."

You did not sign up for this, but today it is abundantly clear that as an IT pro, you are have just found yourself on the front line of 21st century cyber war.

Cybersecurity has moved from Tech to a CEO and board-level business issue.

I strongly suggest you have another look at your defense-in-depth, and make sure to:

  1. Have weapons-grade backups.
  2. Religiously patch.
  3. Step users through security awareness training.

Let's stay safe out there.

Most people say don't pay the ransom

It's worth reading the original blog post on the KnowBe4 site, which contains various hyperlinks to additional information on Petya, ransomware and cyberwarfare.

Had the Cybersecurity Ventures poll been posted later in the day, it would have asked if Petya was ransomware or cyberwarfare.

More broadly, however, the poll expresses the general sentiment towards ransoms—Don't Pay.

The No More Ransom Project is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cybersecurity companies—Kaspersky Lab and Intel Security.

The Ransomware Q&A on the No More Ransom Project website says:

"Paying the ransom is never recommended, mainly because it does not guarantee a solution to the problem. There are also a number of issues that can go wrong accidentally. For example, there could be bugs in the malware that makes the encrypted data unrecoverable even with the right key.

"In addition, if the ransom is paid, it proves to the cybercriminals that ransomware is effective. As a result, cybercriminals will continue their activity and look for new ways to exploit systems that result in more infections and more money on their accounts."

There is, of course, the 10 percent who say Pay when it comes to ransoms.

"I'm a practical man," says John McAfee, cybersecurity luminary and CEO at MGT Capital Investments Inc. "If the ransom is not paid, the victim suffers many orders of magnitude more in data loss than they do in ransom costs."

McAfee recommends stockpiling Bitcoins.

"I don't believe that random targets have sufficient social conscience to want to suffer for the good of the majority. My advice: Have your Bitcoins handy for a ransomware emergency," he says.

No matter what it's called, Petya is hostileware, and organizations are paying the price. Cybercrime damages are expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This week's cyber attack is the latest evidence of that.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)