Show caption A message demanding money on a computer hacked in a ransomware attack. Photograph: Donat Sorokin/TASS Malware Ransomware attack ‘not designed to make money’, researchers claim Digital security researchers say malware attack that spread from Ukraine appeared to be focused on damaging IT systems Alex Hern @alexhern Wed 28 Jun 2017 15.08 BST Share on Facebook

Share on Twitter

Share via Email 3 years old

A ransomware attack that affected at least 2,000 individuals and organisations worldwide on Tuesday appears to have been deliberately engineered to damage IT systems rather than extort funds, according to security researchers.

The attack began in Ukraine, and spread through a hacked Ukrainian accountancy software developer to companies in Russia, western Europe and the US. The software demanded payment of $300 (£230) to restore the user’s files and settings.

The malware’s advanced intrusion techniques were in stark contrast with its rudimentary payment infrastructure, according to a pseudonymous security researcher known as “the grugq”.

The researcher said the software was “definitely not designed to make money” but “to spread fast and cause damage, [using the] plausibly deniable cover of ‘ransomware’”.

This analysis was supported by UC Berkley academic Nicholas Weaver, who told the infosec blog Krebs on Security: “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”

The NotPetya malware is so-called because while it shares code with an earlier ransomware strain called Petya, it is “a new ransomware that has not been seen before”, according to security researchers at Kaspersky Lab. It requires infected users to send $300 in the cryptocurrency bitcoin to a payment address that appears hardcoded into the software.

The address for sending the payment and a 60-character, case-sensitive “personal installation key”, are only presented in text on the ransom screen, and require a confirmation email to be sent to an address hosted by the German email provider Posteo.

Posteo quickly closed the email account, meaning that even if victims paid, they would not be able to decrypt their computers.

“If this well-engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’),” the grugq said.

In contrast to the payment infrastructure, the malware’s infection techniques were described as “well-written”, using a number of different methods to ensure maximum damage to the networks it penetrates.

NotPetya, which uses the NSA hacking tool EternalBlue to enterWindows-operated machines with unpatched security, steals passwords in an attempt to gain administrator access over the entire network. It then begins spreading itself as a forced update to all machines on the network, before encrypting their hard drives.

But unlike WannaCry, the malware that powered a global ransomware attack last month, NotPetya does not contain code that enables it to leave a network once it has spread.

The majority of the infections – 60%, according to Kaspersky – are within Ukraine, where the accounting software which appears to have introduced the malware is one of two legally mandated software suites used to file taxes.

At least one of the major non-Ukrainian organisations affected, the Danish shipping firm Maersk, also appeared to use the software, according to a job posting shared on Twitter.

Ukraine has suggested Russia may have been behind the attack, which struck on the eve of Ukraine’s constitution day, which celebrates the country’s split from the Soviet Union. Russia annexed Crimea from Ukraine in 2015 and pro-Russia separatists continue to fight government troops in the east of the country.

Kiev has previously blamed Russia for a series of cyber-attacks, which Russia denies. Russian companies were also hit by NotPetya, including the Rosneft oil company which said cash registers at some petrol stations were affected without offering further details.

Ukraine said on Wednesday it had contained the attack and “all strategic assets, including those involved in protecting state security, are working normally”.

Finding the perpetrator of the attack is difficult, said Mark McArdle, chief technical officer at cybersecurity firm eSentire. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgment.”