Ransomware has changed a lot since it was introduced back in 1989 by Dr. Joseph Popp, where 20,000 floppy disks were distributed via snail mail. The malware hid files on a victim's hard drive and encrypted only the file names, rather than the entire files themselves. As one might assume, the entire remediation process was manual, rather than digital. Popp's program asked victims to print the ransom note and send $189 to a bank in Panama. When he was caught, he was determined unfit to stand trial. All the money he obtained was donated to AIDS research.
Fast-forward to 2017, and ransomware is much different and much more sophisticated. On June 27th news headlines sounded the alarm on a new strain of ransomware that was detected in Ukraine and quickly spread across the globe, affecting 65 other countries. Government institutions and municipalities were affected, as well as businesses and banks. Knowing that ransomware is one of the most lucrative (if not the most lucrative) cybercrime - costing businesses around the world $1 billion in 2016 and projected to exceed $5 billion this year - the warning did not seem to equate to resounding hysteria.
Like WannaCry, it relied on EternalBlue, the backdoor worm exploit generally believed to have been created by the NSA, that provides access to Microsoft Windows. Here's an excerpt from the webinar that outlines what we discovered about Petya's attack flow, including a huge spike in malicious domain queries:
At the peak of the attack, June 29th, we saw over 1,200 queries to the payload domains used by Petya.
Soon after Petya was launched, it looked different from other ransomware strains. Going against the usual trends of ransomware in term of financial impact, only about $10,000 was paid out as ransom to the malware actors. These payments occurred through the dark web, as encrypted ransom payments usually are. But for ransomware, doesn't $10,000 seem to be low considering the efforts and risk cybercriminals go through to launch attacks, especially ransomware attacks whose sole function is to exchange information for money?
With Petya and NotPetya, there seemed to be something else at play. As our previous blog post stated, "Some reports [...] indicated data on the affected systems was permanently lost [because] the malware destroyed critical control information needed to recover the encrypted data. However, since the email address the attackers set up to collect payments and remit decryption keys was taken down by the security community, data recovery [was] not an option anyway."
Was Petya a failed strain of ransomware whose efforts were miscalculated by malware actors, or did the cybercriminals have something else in mind?