2018 Year-in-Review: The NoPetya/Petya Ransomware Incidents

For 2018, we in Hackercombat.com have discussed the implications of NoPetya/Petya ransomware multiple times, it was featured in at least 6 articles in this website. The Petya and NoPetya families of ransomware are distinguished from other infamous ransomware like the WannaCry worm of 2017, since the former were developed by a state-actor instead of private virus authors. A state-actor is used for people sponsored by a country to act on something, whether the action is legal or illegal. A state-actor pursues the interest of his host country, mostly for espionage or cyber attacks against its perceived enemies.

In many publications, especially from antivirus vendors, the Petya/NoPetya family of ransomware are linked to state-actors allegedly funded by the Russian Federation. The first version, dubbed Petya was first identified two years ago, in 2016 with the goal of asking victims to pay a price in order for the malware to decrypt the user files. It takes control of the hard drive’s boot sector, rewriting the MBR with its own code which runs before Windows launches.

It initially asked ransom payment using real world currency, but later evolved to demand for payment in Bitcoins, definitely a move in order to anonymize the ransom transactions. NoPetya is an evolution of Petya, as it has specific targets instead of randomly infecting computers regardless of geographical location. The well known target of the NoPetya ransomware detected in the wild is the state of Ukraine, a former Soviet state, who separated from the latter after the cold war.

Allegedly, the state-actor made NoPetya to infect computers belonging to the government owned and controlled corporation, a oil company named Rosneft headquartered in Ukraine. The new NotPetya has been diagnosed as not containing a similar ‘killswitch’ or emergency stop like Petya before it, but there is a possibility to prevent the encryption itself from being executed if the worm infects a PC. The malware checks for whether the PC is already infected by seeing if a particular file exists. If the file exists, the program closes.

According to IT security specialist at the company CSIS Peter Kruse, it has long been clear that the arrow pointed to Russia. NotPetya targeted companies in Ukraine, and it was not expected that so many others would be affected. “It was a murderous destructive code, whose sole purpose was to destabilize. Such a modus operandi, where you would only destroy systems in Ukraine. It smelled from the start (it is coming from) Russia. It is part of a larger political game that is unfolding right now and becoming more and more significant. The different countries are upgrading within cyber capacity and actively using it. We will see much more of that,” says Peter Kruse.

The attack was apparently put in place to decimate Ukrainian IT infrastructure. An ongoing project for the Sandworm group, which is also behind the hacking attacks on power plants, which, according to Wired, has darkened Ukraine several times. Four hospitals in Kiev alone were hit by six power providers, two airports and at least 22 Ukrainian banks. This prompted the Minister of Infrastructure to declare the ‘government dead’, as the ransom was coded to never be able to decrypt the victim’s files, regardless of whether the ransom was paid.