In June, a fast-moving global cyberattack was launched by a sophisticated piece of malicious software, now called Petna, seemed to come straight out of a Hollywood thriller. At one point, this malware was infecting 5,000 computers every ten minutes.
The mystery of who sent it, and why, quickly deepened to leave the business world on a cliff edge and small businesses wondering just how much they needed to worry.
On the loose
The story began a year earlier, in March 2016, when a piece of malware called Petya was spotted for the first time by the world’s cybersecurity community. This malware was a fairly standard piece of ransomware spread by email that tempted the recipient to open an infected attachment.
Then, in June 2017, what appeared to be just a new version of this malware appeared. This time it wasn’t being used for small-time extortion; it was a key weapon in a global cyberattack against organisations in Europe and the USA.
That its first and most numerous victims were Ukrainian businesses left many in no doubt as to whom was behind this: Russian hackers who are alleged to have close links to the Russian state.
Petya, Not Petya or Petna
But it quickly became apparent that this ransomware was a rather mysterious piece of software.
Many analysts came to the conclusion that there was in fact only a superficial similarity between the original and the more recent variant. They argued that the later version was, in fact, a very well written, largely new piece of malicious software, which some cybersecurity researchers then dubbed NotPetya.
However, since then other researchers have taken a closer look at the code. What they discovered revealed greater similarities than was at first thought. They renamed it Petna.
The way it infected computers had also been transformed: Petna was spread through an automatic software update to a piece of accounting software called Medoc, which companies that paid tax in Ukraine had to use.
These were updates that Ukrainian businesses would never have thought to question. Companies from the USA and Europe that worked with these businesses were then quickly infected.
The mystery deepens
Researchers quickly realised that the extortionists’ crude payment methods were in sharp contrast to its sophisticated means of attack. The cyber criminals wanted to be communicated with by email, which is easily traceable, rather than via Tor, an encrypted form of communication that is almost impossible to trace.
These shadowy figures also wanted all the money paid to the same single Bitcoin address, which could be easily blocked, rather than to multiple accounts, which couldn’t be.
Indeed, after researchers broke into Petna’s code, it became clear that the software wasn’t actually designed to decrypt the victims’ data in the first place even if the payment was made.
Not about the money
This made many researchers conclude that Petna wasn’t about making money, but rather about sheer destruction – and perhaps global publicity. This is a type of attack called a wiper.
To better understand the reaction to Petna, it is important to remember that two months earlier there was another global cyberattack using the WannaCry ransomware. Petna has many similarities – as well as significant differences – with this previous attack.
Like WannaCry, Petna spread rapidly across organisations. Once one computer was infected, the rest of a network were quickly infected as well. However, Petna didn’t try and infect computers outside the network – and as a result, the extent and speed of the infection, while fast, was thankfully more limited.
Both these malwares use a vulnerability widely believed to have been developed by the NSA called EternalBlue, which was leaked online by the Russian hacker group ShadowBrokers to exploit the same vulnerability in Microsoft Windows.
A fix for this vulnerability was published back in March, but the extortionists were clearly betting that many organisations still wouldn’t have installed it.
Once they had infected one computer on a network, both pieces of ransomware quickly became impossible to stop. This is because they both harvested administrative passwords to force open the rest of the computers.
Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, has strong views on the purpose of NotPetya.
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” says Weaver. “The best way to put it is that NotPetya’s payment infrastructure is a faecal theatre.”
Pseudonymous security researcher Grugq noted that “the superficial resemblance to the original Petya is only skin deep. Although there is significant code sharing, the first version was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”
What must small businesses learn from this latest cyberattack?
It’s still about the money!
Greg Mosher, VP of Product and Engineering, AVG Business by Avast thinks that you can’t entirely discount the money motive.
“Some hackers do just want to cause as much disruption as possible – state-sponsored or not,” he says. “However, this may not have been the case with Petna.
“A large majority of attacks are still carried out by cyber criminals and for them it’s always about money even if it’s not obvious in an initial attack. However, we don’t know for sure if Petna was more politically-motivated trying to disrupt, or if it was simply the setting of a stage by a criminal group for a more profitable attack later.
“Within a few days of the attack over $10,000 in Bitcoin was paid by its victims, even though the chance that they would get all their data back from an infected computer was close to zero.
“That’s $10,000 that the hackers could earn by barely lifting a finger – and that’s why they will continue to target individuals, businesses and organisations which use popular and widely available software.”
Simple but effective steps for SMBs:
Work with your business partners to improve security: contractors or suppliers coming onto your site and accessing your systems may provide a way in for hackers if their devices aren’t secure.
Break your network into separate zones: use firewalls or user groups to partition the network, to try and stop an infection in one area from spreading into another.
Install the latest software patches as quickly as you can, but check that they are authentic first: download them from the official source.
Change the default passwords! Never use the default password that accompanies any device or software. Create a new and strong password before you connect it to your network.
Back up your data every day: if you are hacked or held to ransom, you may be able to avoid paying and carry on trading.
These simple techniques are vital to protecting your business. Unfortunately, what is harder to defeat is the threat from hacking gangs themselves. And this threat is only likely to increase as the value of information does, or as the value – or schadenfreude – gained from causing chaos in their adversaries’ economy does.