The Petya Ransomware Is Starting To Look Like a Cyberattack in Disguise

Further research and investigation into Petya ransomware -- which has affected computers in over 60 countries -- suggest three interesting things: 1. Ukraine was the epicentre of the attack. According to Kaspersky, 60 percent of all machines infected were located within Ukraine. 2. The attackers behind the attack have made little money -- around $10,000. Which leads to speculation that perhaps money wasn't a motive at all. 3. Petya was either "incredibly buggy, or irreversibly destructive on purpose." An anonymous reader shares a report: Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program's decryption failure in a post today, Comae's Matthieu Suiche concluded a nation state attack was the only plausible explanation. "Pretending to be a ransomware while being in fact a nation state attack," Suiche wrote, "is in our opinion a very subtle way from the attacker to control the narrative of the attack." Another prominent infosec figure put it more bluntly: "There's no fucking way this was criminals." There's already mounting evidence that Petya's focus on Ukraine was deliberate. The Petya virus is very good at moving within networks, but initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky. Ars Technica has more.

Re:Russians

[Oswald+McWeany]

So the Russians did it?

They would be the logical assumption. No one gains more by destabalising Ukraine.

Re:Russians

[Oswald+McWeany]

Who has most to gain from russia being blamed for something petty with no gains in it for them whatsoever?

No one really. No one really gains from Russia being blamed if it wasn't Russia. There is no reason to frame Russia.

I mean, what is the motive?

Oh, you mean, like, besides destabalising the country they are trying to stealthily reclaim, that they've already illegally stolen territory from.

Re:Russians

[MightyMartian]

You are aware, I trust, that Ukraine and Russia are effectively at war, right? Why this need for convoluted conspiracy theories when the most parsimonious explanation is that Russia waged a cyberattack on Ukraine? Maybe Russia didn't give a flying fuck whether anyone could eventually decrypt the data or not, if hte point is just to cause damage. It's like asking "Why didn't they send in the Army Corp of Engineers to rebuild the bridge they just bombed to oblivion?" answer being, they just wanted to bomb the bridge to oblivion.

We all saw it coming, didn't we?

[hyperar]

Now everything is "nation-sponsored", so-called expert now throw this at everything without handing a single proof of it's claims, and sometimes not even making sense.

vaccine

[Rudisaurus]

According to BleepingComputer.com, you can vaccinate against NotPetya by creating and adding 3 write-protected files to your C:\Windows folder: perfc, perfc.dat, and perfc.dll.

Content doesn't matter but "Read-only" status does.

Re:Ready Set Go

[Rei]

Yeah, what part of him de facto annexing parts of half a dozen neighboring countries and de jure annexing part of Ukraine would give one the impression that he wants to restore the empire? What part of Putin lamenting the fall of the Soviet Union would give one that impression?

Re:Sigh another Russia poke by people with no clue

[MightyMartian]

How was the attack poor? Sure, they didn't make any money, but they fucked up a lot of Ukraine businesses. Mission accomplished, I'd say.

Re:Extremely thin "evidence"

[MightyMartian]

Because Russia would never try to screw around with the computers of a country that it has a) effectively invaded and b) already annexed a piece of its territory. Oh no, to suggest that is somehow to betray "political motivation."

Re:Russians

[JaredOfEuropa]

How is Twitter a "source"?

Re: Do you editors even read your own stories?!

[bestweasel]

That's one way of looking at it; this is another:

Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.

Weaver noted that Petyaâ(TM)s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.

Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.

âoeIâ(TM)m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,â Weaver said. âoeThe best way to put it is that Petyaâ(TM)s payment infrastructure is a fecal theater.â

From Krebs on Security

For the non-native English speakers here (and I know there are a lot of you), fecal theater is a euphemism for shit show.

Re:Ready Set Go

[dunkelfalke]

Even Moldova would be wrong - that particular civil war happened when Putin was just an aide for a local politician.