Crime Group Behind ‘Petya’ Ransomware Resurfaces To Distance Itself From This Week’s Global Cyberattacks

Janus Cybercrime Solutions, the author of Petya — the ransomware initially attributed with Wednesday’s global cyberattacks — resurfaced on Twitter early Thursday, seemingly offering to help those whose files can no longer be recovered.

The altruistic gesture, even if it does prove fruitless, is uncharacteristic of the criminal syndicate that launched an underworld enterprise by placing powerful exploits in the hands of others to deploy as they saw fit. It may also simply indicate that Janus would prefer not to be tagged with the spread of “NotPetya” — so named by Kaspersky Lab, which has itself sought to differentiate between Janus’ ransomware and that which worked havoc across Europe this week.

There’s consensus now among malware experts that NotPetya is actually a wiper — malware designed to inflict permanent damage — not ransomware like Petya, which gave its victims’ the option of recovering their data for a price.



Image: Janus Cybercrime Solutions

The earliest analysis of this was offered earlier this week by security researcher the grugq, who wrote: “The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware’.”

In a tweet early Thursday, the public face of Janus came to life after seven months of silence, suggesting that files locked by NotPetya might be recovered using a Janus private key. At time of writing, they have yet to elaborate any further.

we're back havin a look in "notpetya" maybe it's crackable with our privkey #petya @hasherezade sadly missed 😉 — JANUS (@JanusSecretary) June 28, 2017

Ransomware-as-a-Service

In early 2016, Janus launched a darknet website based on a black-market business model called Ransomware-as-a-Service (RaaS). Simply put, they offered other criminals access to a sophisticated ransomware-distribution platform. Its customers, after paying a nominal registration fee, could use the platform and in exchange Janus received a cut of all ransom paid. The customers tracked infection rates via a simple web interface, which also allowed them to adjust the ransom amounts. Janus, which has presented itself as a “professional cybercriminal” organisation, even offered technical support, mitigating bug reports and fielding requests for new features to its beta platform.

The revenue model was designed specifically to benefit customers who pulled in the most ransom payments. Those who collected fewer than five bitcoin in ransom per week, for example, received only a 25 per cent cut, while those collecting more than 125 bitcoin received an 85 per cent share.

In the past, RaaS dealers mostly limited commercial access to ransomware that exploited well-known and widely-patched vulnerabilities. Janus, however, wasn’t screwing around. The group is fairly unique in that its product was sophisticated and, at the time, still very much effective.

Petya, the malware which was not behind Wednesday’s outbreak — despite widespread reports of this in the media — only made up half of Janus’ payload.

Unlike most ransomware, which leaves the operating system intact while encrypting individual files, Petya encrypts entire portions of its victim’s hard drive. Petya, instead, replaces the computer’s Master Boot Record, locking the user out of the operating system. The Master File Table is then encrypted leaving the computer unable to locate any of the victim’s files. The user is offered a unique code which can be entered into a decryption website in order to submit a payment. The instructions are always offered in clear and concise terms — the more complex the process, the fewer payments will be received.

Once Petya is downloaded — in the past, it was distributed by emails with the help of a spambot — the user is prompted to give the malware user account control. If the user clicks “Yes”, Petya initiates and the aforementioned process begins. If they click “No” instead, backup malware, known as Mischa, executes. This malware is of the more typical variety and encrypts individual files before prompting the victim with payment instructions from inside the operating system.

If the victim was infected by Mischa and made the payment, they were given a password to decrypt the files. If infected by Petya, the password decrypts the Master File Table and repairs the Master Boot Record. Either way, paying the ransom results in the user regaining complete access to their files without suffering permanent damage.

Ransomware-as-a-Disguise

Conversely, what motivated the malicious actor behind the NotPetya infections was not money. The grugq’s assessment was confirmed on Wednesday by Kaspersky Lab malware analysts Anton Ivanov and Orkhan Mamedov, who wrote that the victims of the NotPetya malware were unable to recover their files, even if the ransom was paid.

The grugq’s report was also confirmed hours earlier by hacker Matthieu Suiche, founder of Comaelo Technologies.

These assessments indicate that NotPetya is a “wiper” designed specifically to destroy data — not generate revenue. “We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon,” wrote Suiche.

In other words, his assessment is that NotPetya is the work of government hackers who used “ransomware” as a disguise to conduct a sophisticated cyberattack for the purpose of inflicting maximum damage. Suiche writes that, in his opinion, the purpose of this ruse was to “control the narrative of the attack”, meaning the hackers behind it sought to mislead the press.

As to whom may be responsible, attribution, as always, remains problematic. It appears, however, that patient zero may be a Ukrainian software firm called MeDoc — though the company has refuted this allegation in a Facebook post on Tuesday.

According to several experts, the outbreak began after MeDoc was breached and NotPetya was pushed out to its customers via a software update. Attacks of this kind, designed to damage a company’s reputation by inflicting damage on its clients, are what’s known as a “supply chain attack.”

Some have fingered Russia, which has intervened militarily in Ukraine since 2014, pointing to NotPetya infections in the Russia oil sector mitigated with suspicious ease. “It’s a miracle!” the grugq declared (sarcastically) in his post.

Since the media was tricked into helping cover the tracks of those responsible — at least for a time — the question now is whether security reporters will ever learn to defend themselves (and their readers) from nation-states employing this unique type of manipulation.

In any case, it’s easy to see why the criminal organisation Janus doesn’t seek to bolster its reputation by assuming credit for one. This is cyberwar and it’s not good for business.