As posted on Ransomware attack ‘not designed to make money’, researchers claim

A ransomware attack that affected at least 2,000 global users on Tuesday appears to have been deliberately engineered to damage IT systems rather than extort funds, according to security researchers.

The attack began in Ukraine, and spread through a hacked Ukrainian accountancy software developer to companies in Russia, western Europe and the US. The software demanded payment of $300 (£230) to restore the user’s files and settings.

The malware’s advanced intrusion techniques were conspicuous in comparison to its rudimentary payment infrastructure, according to a pseudonymous security researcher known as “the grugq”.

The researcher said the software was “definitely not designed to make money” but “to spread fast and cause damage, [using the] plausibly deniable cover of ‘ransomware.’”

This analysis was supported by UC Berkley academic Nicholas Weaver, who told the infosec blog Krebs on Security: “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”

The NotPetya malware – so-called because, while it shares code with an earlier ransomware strain called Petya, it is “a new ransomware that has not been seen before”, according to security researchers at Kaspersky Lab – requires infected users to send $300 in the cryptocurrency bitcoin to a payment address that appears hardcoded into the software.

The address for sending the payment and a 60-character, case-sensitive “personal installation key”, are only presented in text on the ransom screen, and require a confirmation email to be sent to an address hosted by the German webmail provider Posteo.

Posteo quickly closed the email account, meaning that even if victims paid, they would not be able to decrypt their computers.

“If this well-engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’),” the grugq said.

In contrast to the payment infrastructure, the malware’s infection techniques were described as “well-written”, using a number of different methods to ensure maximum damage to the networks it penetrates.

NotPetya, which enters unpatched Windows machines using the NSA hacking tool EternalBlue, steals passwords in an attempt to gain administrator access over the entire network. It then begins spreading itself as a forced update to all machines on the network, before encrypting their hard drives.

But unlike WannaCry, the malware that powered a global ransomware attack last month, NotPetya does not contain code that enables it to leave a network once it has spread.

The majority of the infections – 60%, according to Kaspersky – are within Ukraine, where the accounting software which appears to have introduced the malware is one of two legally mandated software suites used to file taxes.

At least one of the major non-Ukrainian organisations affected, the Danish shipping firm Maersk, also appeared to use the software, according to a job posting shared on Twitter.

Ukraine has suggested Russia may have been behind the attack, which struck on the eve of Ukraine’s constitution day, which celebrates the country’s split from the Soviet Union.

Kiev has previously blamed Russia for a series of cyber-attacks, which Russia denies. Russian companies were also hit by NotPetya.

Finding the perpetrator of the attack is difficult, says eSentire CTO Mark McArdle. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgement.”

Russia annexed Crimea from Ukraine in 2015 and pro-Russian separatists continue to fight government troops in the east of the country.