48 hours after initial reports, many mysteries remain around the latest ransomware/wiper threat

Posted by   Martijn Grooten on   Jun 29, 2017

"What's in a name? that which we call a rose
By any other name would smell as sweet"

Shakespeare's philosophising can equally be applied to malware, and whether you call it Petya, NotPetya, Nyetya or Petna, the latest piece of malware to hit the headlines is just as damaging.

The name isn't the only thing security experts disagree on when it comes to the malware that has been causing damage around the world (and seems to have hit Ukraine particularly hard) in the past 48 hours.

What experts do agree on is that it shares some similarities with the ransomware known as Petya (a February 2017 analysis from Fortinet's Raul Alvarez includes, for example, the same fake CHKDSK screen as we see in this malware); that at least one of the infection vectors was the compromised update mechanism of MEDoc, tax accounting software for the Ukrainian market (as explained in a Microsoft blog post); that it uses a number of methods to spread internally within networks, including but not limited to two SMB exploits leaked by the 'Shadow Brokers' (as explained in a Cisco Talos blog post); and that, as Kaspersky researchers explain, it uses a randomly generated string installation ID that a victim, upon payment of the ransom, is supposed to use to get the decryption key.

 

petyagetcryptrandom.pngThe malware's use of GetCryptRandom to generate the installation ID; source: Kaspersky.

However, the use of a random string, rather than something that leads to the private encryption key used to encrypt the files on the machine, means that it is likely that decryption of files won't be possible, and that those who have paid the ransom to the hard-coded Bitcoin address will get neither their money nor their files back. Therefore, it won't make much of a difference that email provider Posteo has taken the somewhat odd step of blocking the email address that victims were supposed to use to receive the decryption key.

Of course, it could well be that the lack of an encryption mechanism was intentional, and that the authors didn't mean to gain financially, just to disrupt systems – and many people have jumped to quick, but understandable conclusions about who could want to do this to Ukraine.

We should be wary of confirmation bias though. In March, when the Shadow Brokers leaked a number of exploits against Windows vulnerabilities, the timing (it was a Friday afternoon) and the suspected motive of this group led people to believe that these were zero-day vulnerabilities. Indeed, several researchers confirmed the exploits worked against fully patched Windows systems and those who couldn't get them to work were looking at what mistakes they could have made. Later, it turned out that the first group of researchers were so eager to prove that these were zero-days, that they didn't realise their systems weren't fully up-to-date and that a recent Microsoft patch had indeed patched the vulnerabilities. 

Malware written to destruct does exist and in recent years has affected, for example, South Korea and the Middle East. But malware authors do make mistakes and sometimes their mistakes are indeed odd and unusual. Without further evidence to the contrary, we should keep that possibility in mind.

On the subject of encryption mistakes in malware, at VB2016 last year, Check Point researchers Yaniv Balmas and Ben Herzog presented the paper "Great Crypto Failures". You can read their paper here or here (PDF) or watch their presentation below.

 

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Throwback Thursday: Giving the EICAR test file some teeth

The 68-byte EICAR test file plays as important a role today as it did 19 years ago. In this week's Throwback Thursday we look back at a VB99 conference paper in which Randy Abrams described how this 'miracle tool' worked and how it could be used.

XMRig used in new macOS cryptominer

A new piece of cryptocurrency-mining malware on macOS has been found to use the popular XMRig miner.

Tendency for DDoS attacks to become less volumetric fits in a wider trend

CDN provider Cloudflare reports an increase in DDoS attacks targeting layer 7 and focusing on exhausting server resources rather than sending large volumes of data. This fits in a wider trend.

Turkish Twitter users targeted with mobile FinFisher spyware

Through fake social media accounts, users were tricked into installing an Android application that was actually a mobile version of the FinFisher spyware.

Hide'n'Seek IoT botnet adds persistence

The Hide'n'Seek IoT botnet has received an update to make its infection persist on infected devices beyond a restart.