The core function of ransomware is to encrypt files. We believe that the Petya attackers did not intend to reach so broad an audience during the initial attack, yet still caused a lot of collateral damage. One or more targets in the Ukraine were the first to be attacked. In this case, however, Petya also started to spread globally. Local spreading of the malware is more likely to cripple or sabotage a specific organization and less likely to spread across organizations. If money is the motivation, as it is with traditional ransomware, the larger the spread across the Internet the better. Cerber and Locky do not have a built-in spreading mechanism they mostly use combinations of botnets and email spam or other social engineering techniques to infect users. In contrast, WannaCry generates random IP addresses to attempt to attack potential targets, not limited to the local network, allowing it to spread across the Internet. See our previous post for more technical details. If not on a domain controller, it uses an address resolution protocol (ARP) scan technique to discover the local network. Using this information, it then scans only the local network. If it is, it looks for the DHCP server service to understand the local network. When Petya seeks new hosts it first checks to see if it is installed on a domain controller. Namely, the way it finds new hosts the files it chooses to encrypt its stealth tactics and its ransom-note injunction with the method for collecting payment. Let’s look at some key behaviors of the new campaign. What other indicators do we have of the attackers’ motivation? The behavior of malware can also help us infer intent of the authors.
Thus, the orchestrators of this campaign appear to be either short sighted or not financially motivated. In a financially motivated campaign, this significantly reduces the ransomware’s effectiveness. The word is spreading, and we can expect more and more victims to stop paying the ransom. The recent Petya campaign does not include the capability to decrypt files due to changes in the key and victim ID, with or without payment.
Unlike Cerber and Locky, however, WannaCry lacked victim identification, which left most victims with encrypted disks even after payment. Cerber, Locky, and WannaCry all had methods for decrypting files after encryption. Otherwise, victims will learn that payments are worthless and the ransomware industry’s reputation will suffer, along with the loss in revenue for the criminal. These steps ensure that once payment is sent, data can be recovered. For a ransomware family to make money in the long term, it must be able to both encrypt and decrypt files. Generally, the goal of ransomware is financial gain. To back up this claim, let’s examine three other well-known ransomware campaigns: Cerber, Locky, and WannaCry. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. By Douglas McKee and Charles McFarland on Jun 30, 2017Īt the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware.