At the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. To back up this claim, let’s examine three other well-known ransomware campaigns: Cerber, Locky, and WannaCry.
Generally, the goal of ransomware is financial gain. For a ransomware family to make money in the long term, it must be able to both encrypt and decrypt files. These steps ensure that once payment is sent, data can be recovered. Otherwise, victims will learn that payments are worthless and the ransomware industry’s reputation will suffer, along with the loss in revenue for the criminal. Cerber, Locky, and WannaCry all had methods for decrypting files after encryption. Unlike Cerber and Locky, however, WannaCry lacked victim identification, which left most victims with encrypted disks even after payment. The recent Petya campaign does not include the capability to decrypt files due to changes in the key and victim ID, with or without payment. The word is spreading, and we can expect more and more victims to stop paying the ransom. In a financially motivated campaign, this significantly reduces the ransomware’s effectiveness. Thus, the orchestrators of this campaign appear to be either short sighted or not financially motivated.
What other indicators do we have of the attackers’ motivation? The behavior of malware can also help us infer intent of the authors. Let’s look at some key behaviors of the new campaign. Namely, the way it finds new hosts; the files it chooses to encrypt; its stealth tactics; and its ransom-note injunction with the method for collecting payment.
When Petya seeks new hosts it first checks to see if it is installed on a domain controller. If it is, it looks for the DHCP server service to understand the local network. Using this information, it then scans only the local network. If not on a domain controller, it uses an address resolution protocol (ARP) scan technique to discover the local network. See our previous post for more technical details.
In contrast, WannaCry generates random IP addresses to attempt to attack potential targets, not limited to the local network, allowing it to spread across the Internet. Cerber and Locky do not have a built-in spreading mechanism; they mostly use combinations of botnets and email spam or other social engineering techniques to infect users. If money is the motivation, as it is with traditional ransomware, the larger the spread across the Internet the better. Local spreading of the malware is more likely to cripple or sabotage a specific organization and less likely to spread across organizations. In this case, however, Petya also started to spread globally. One or more targets in the Ukraine were the first to be attacked. The infections spread from there. We believe that the Petya attackers did not intend to reach so broad an audience during the initial attack, yet still caused a lot of collateral damage.
The core function of ransomware is to encrypt files. Arguably the more files that are encrypted, the more effective the ransomware is. Encrypted files are the motivation for victims to pay ransoms. Most ransomware limits that files it encrypts based on file extension to ensure the victim’s system is still functional and the victim can pay the ransom.
In the preceding table, we compare the number of file types encrypted by the different ransomware families. A variant of Petya from nearly one year ago listed 228 extensions for encryption. These numbers show a large amount of coverage and the motivation to withhold as many files as possible without crippling the system. The recent Petya campaign targets only 65 file types and significantly reduces the time it takes for victims’ files to be fully encrypted. Although there can be reasons for speedy encryption, the actors sacrificed potentially important files, which cannot be used as leverage to entice victims to pay the ransomware.
When Cerber, Locky, WannaCry and previous Petya variants encrypt a file, they add their own extension to the file. This shows the user that the file is still there, but no longer in the usual format. The current Petya does not add an extension to a file after encryption. The users remain unaware of encryption or even which files are encrypted. They may not know if an important file they rarely access is indeed on the list of files they can no longer access. Instead of rebooting immediately, Petya restarts the system after an hour, allowing the malware some time to attack the network before anyone notices. Its priorities are to infect as many machines as possible instead of getting a ransom from a particular victim.
How do we explain Petya’s attacks against the master boot record and master file table? These render the entire system unusable. In this case why does encrypting files matter? The attack on the boot record and file table are similar to the behavior of the previous version of Petya, but there is one important difference. In research reported by Hasherezade, the new Petya destroys the Salsa20 cipher key by erasing it from the disk. In previous versions of Petya, the key is backed up in the victim’s ID before being erased—allowing for the recovery of the disk. Hasherezade also shows that the victim’s ID is generated before the random Salsa20 key is made, proving there is no relationship between the Salsa20 key and the victim’s ID. A reboot is required for this overwrite to take effect and supports the priorities we have mentioned. This difference in priorities implies the attackers are looking for pure destruction—closer in behavior to campaigns like Shamoon rather than ransomware such as Cerber, Locky, and WannaCry.
Before infection After infection
Another distinct characteristic of the new Petya is that it attempts to cover its tracks. This variant has code to delete Windows event logs to make it harder for researchers to discover what it does. This secrecy is not present in major ransomware families such as Cerber, Locky, or WannaCry. Ransomware by nature is not stealthy; it needs to be seen by the user. It must be visible for the attackers to get paid. It is not uncommon to see antimalware evasion techniques in ransomware, but Petya’s cleanup at the end of the infection does not provide any coverage against antimalware products. Removing Windows logs does not match the normal steps of ransomware.
For ransomware to be financially effective, it needs a mechanism to collect payments. Cerber, Locky, and WannaCry use the TOR network in conjunction with a Bitcoin wallet. If the ransom is not sent within a certain time, the cost increases. This ticking clock pushes the user to pay as quickly as possible, a common social engineering technique. The use of TOR also makes the malware difficult to track. Petya uses a Bitcoin wallet but provides an email address to contact. It does not set a time limit or threaten to increase the cost. Effectively, it removes proven techniques used in the past to increase profits. Although email can be difficult to track, it provides more clues for law enforcement to follow than a TOR web page. A financially motivated attacker will try to force a user to pay as soon as possible, as we have seen in other ransomware campaigns.
The attacks that began on June 27 by the new Petya campaign are no doubt malicious and caused serious damage. In the rush to find solutions and combat this new threat, is it possible the world miscategorized this new threat? Our analysis comparing Petya to previous ransomware families supports the idea that this attack was not ransomware but was intended to maximize destruction. The attackers decisions regarding propagation suggest they may have had a certain group or groups in mind as targets. The security industry has seen many examples of campaigns intended to destroy systems, such as Shamoon and Shamoon 2.
Unfortunately, we expect to see more targeted acts of destruction in the future. The industry has also been knee deep in numerous new ransomware families and variants during the last two years. However, two major recent families seem to break the ransomware mold: to a lesser extent, WannaCry, which has more ransomware capabilities, and, to a greater extent, the new Petya variant, which appears to be significantly more interested in destruction than money. (We expressed our suspicions about WannaCry in “Is WannaCry Really Ransomware?”) For malware like this, demanding a ransom may be a red herring, merely a distraction to hide its true intentions.