Counting NotPetya, Four Lookalike Ransomware Strains Have Hit Ukraine
Who’s gunning for Ukraine, and how many others will get caught in the crossfire?
See Also: How the New World of Digital Banking is Transforming Fraud Detection
In recent weeks, security researchers have counted four separate malware attacks targeting the country, including the Petya ransomware lookalike that many security researchers have been calling NotPetya.
Ukraine’s cyber police on Friday said they have received 1,500 requests for help since NotPetya emerged, of which more than 150 were from private businesses.
Ukrainian police are investigating reports that NotPetya was spread via an update to accounting services and business management software developed by Ukrainian software firm MeDoc. Authorities say the firm is cooperating with the investigation.
Some security experts believe that NotPetya may have been a smokescreen designed to mask other attacks or relay more malware. But there has not yet been any evidence that might conclusively prove or disprove that theory.
NotPetya, however, is not the only malware that has been targeting Ukraine.
On Tuesday, the same day that the NotPetya outbreak started, Ukrainian state power distributor Ukrenergo says that it was also infected by another WannaCry-like virus. Spokesman Vsevolod Kovalchuk said at a Friday news conference that no power networks had been disrupted as a result of the malware.
“The virus was slightly different, of a different nature, similar to WannaCry,” he said, Reuters reports. “The effect from it was insignificant, as some computers remained offline.”
Ukraine Quick to Blame Russia
Ukrainian politicians this week have blamed Russia for the NotPetya outbreak, as they have done for past attacks targeting its power grid (see Ukraine Blackout Redux: Hacking Confirmed).
The Kremlin continues to deny any involvement in or knowledge of such attacks and notes that NotPetya also affected Russian firms, including oil production giant Rosneft. “No one can effectively combat cyber threats on their own, and, unfortunately, unfounded blanket accusations will not solve this problem,” said Kremlin spokesman Dmitry Peskov.
The full extent of NotPetya infections and related damage has yet to be tallied.
According to Slovakian anti-virus firm ESET, 75 percent of all NotPetya infections that its users detected were in Ukraine, followed distantly by Germany and Poland.
But government officials in Germany say they have so far traced all attacks that affected domestic organizations to Ukraine.
Arne Schoenbohm, who heads Germany’s federal cybersecurity agency, the BSI, told Reuters Thursday that a few dozen German firms may have been hit by NotPetya. “In all of the known cases, the companies were first infected through a Ukrainian subsidiary,” Schoenbohm said.
U.S. Outlook: Unclear
In the United States, the picture is less clear.
A spokesman for the U.S. Department of Homeland Security was unable to detail how many U.S.-based organizations may have been affected. Instead, DHS referred to a Tuesday alert issued by its U.S. Computer Emergency Response Team, urging affected organizations to report infections to the FBI’s Internet Crime Complaint Center, IC3 (see FBI: Reported Internet-Enabled Crime Losses Hit $1.3 Billion).
“The Department of Homeland Security is monitoring reports of cyberattacks affecting multiple global entities and is coordinating with our international and domestic cyber partners,” DHS says in a statement provide to Information Security Media Group. “We stand ready to support any requests for assistance. Upon request, DHS routinely provides technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”
Fresh Infection Reports
Reports of NotPetya infections continue to emerge.
Princeton Community Hospital in rural West Virginia reported that its systems were affected Tuesday, leaving electronic health records inaccessible. The hospital could not even print out backup paper-based templates, because they were stored on a PC that was also crypto-locked, the Wall Street Journal reports, noting that the hospital plans to scrap and replace its entire computer network.
That report followed at least two hospitals owned by the Heritage Valley Health System warning that they had been hit by NotPetya. Surgeons at those facilities canceled all elective surgeries as a result.
Other major corporations, including British advertising firm WPP Group and U.S. pharmaceutical firm Merck also experienced disruptions, as did Danish shipping giant A.P. Moeller-Maersk. On Wednesday, Maersk said operations at dozens of ports in the U.S., Europe and India run by its APM Terminals subsidiary were disrupted, leading in some cases to its container terminals being unable to take in ships. By Thursday, however, the firm said via Twitter that many affected ports had resumed operations, at least at reduced capacity, and that it was continuing “to work towards full restoration” of affected IT systems.
Global law firm DLA Piper was also affected by NotPetya, leading to continuing disruptions. One of the company’s attorneys said in a federal court filing Wednesday that “no U.S. attorney has access to the firm’s document management system. … The firm’s email system is inaccessible as well.”
Ukraine-Targeting Malware Redux
Four separate ransomware campaigns have recently targeted Ukraine, all of which have an unusual feature, in that they are lookalikes for previously seen malware, Bleeping Computer has reported.
The four strains include malware called XData, PSCrypt, NotPetya, as well as the WannaCry lookalike that hit Ukrenergo:
- XData: One week after the May 12 WannaCry outbreak, security researchers warned that ransomware called XData was targeting Ukraine. Quickly, they discovered that XData was based on older ransomware called AES-NI, which first surfaced last December. But the creator of AES-NI quickly reached out to journalists and researchers, disavowing any connection to the new strain or attacks.
- PSCrypt: The crypto-locking ransomware appeared earlier this month. Based on code analysis, security researchers say it appears to be the same as ransomware that first debuted last December, called Globe Imposter Ransomware.
- NotPetya: Security researchers say NotPetya borrows from Petya – which first appeared last year – but is more sophisticated and includes many unique components. The cybercrime group known as JanusSecretary that was behind Petya resurfaced Wednesday after a months-long silence, claiming that they had nothing to do with NotPetya, and saying that they were looking at whether whoever was using the code had built it in such a way that the original private key could be used to decrypt NotPetya infections.
- WannaCry lookalike: Based on the blockchain address associated with the ransomware, the first related attack dates from June 26, meaning that this ransomware was launched before NotPetya. The security researchers known as MalwareHunter Team tell Bleeping Computer that the malware was built to look like WannaCry, but that under the hood, only its countdown timer is the same. In reality, however, MalwareHunter Team says the attack code was written in .NET – not coded in C, like the original WannaCry – and that it doesn’t tap any Equation Group exploits to spread, as WannaCry did.
MalwareHunter Team says there’s evidence that MeDoc – or an application disguised as MeDoc – was used to spread XData as well as the new WannaCry lookalike.
Is there another MEDoc in Ukraine, or this is the same MEDoc which was used to distribute Petya/NotPetya (and previously XData)? pic.twitter.com/H9dpybD6av
— MalwareHunterTeam (@malwrhunterteam) June 29, 2017
The preponderance of lookalike ransomware targeting Ukraine is unusual. As Mikko Hypponen, chief research officer at Finnish security firm F-Secure, deadpans on Twitter: “It must be a lucrative market.”
No Solid Conclusions Yet
Some security researchers believe it’s obvious that Russia is targeting Ukraine.
But others say that such conclusions appear to be fueled by little more than confirmation bias, given the difficulty of unraveling sometimes conflicting evidence relating to the attacks.
Interesting findings continue to emerge. For example, F-Secure’s teardown of the NotPetya code revealed that whoever designed it “has a vendetta against Kaspersky Lab,” Andy Patel, a security researcher at F-Secure, writes in a Friday blog post, referring to the Moscow-based security firm. “If this malware finds running Kaspersky processes on the system, it writes junk to the first 10 sectors of the disk, and then reboots, bricking the machine completely.”
Patel says much remains unclear, such as whether NotPetya was designed to look like ransomware but in reality built to destroy drives, or whether that result is just a consequence of shoddy code development (see Latest Ransomware Wave Never Intended to Make Money).
It “could easily be a buggy, unfinished piece of ransomware” that was rushed into development after WannaCry appeared and Microsoft issued patches for flaws that NotPetya’s developers were hoping to capitalize on, Patel says.
While he acknowledges that it increasingly looks like a nation-state was involved in the development of NotPetya, if it was Russia, why did Russian firms get hit? “We know of victims who don’t use MeDoc and have no obvious connections to Ukraine,” Patel writes. “Yet they were infected during Tuesday’s outbreak. This mystery is one of the factors that have kept us from jumping on the conspiracy train. And we still don’t have answers here.”
(Executive Editor Marianne Kolbasuk McGee contributed to this story.)