‘Wiper Malware’ in Global Attack Actually Destroys Data
A malware strain at the center of this week’s global attack that crippled networks in multiple countries was not ransomware as first suspected, but rather a “wiper” that encrypts data and makes it unrecoverable, top cyber security experts now say.
The alarming revelation means the hacker campaign that struck Europe, the U.S., France, Italy, Germany and elsewhere since Monday, was merely posing as a ransomware attack and is actually intended to destroy target files.
What was originally believed to be a variant of the Petya ransonware – which was stolen last year from a National Security Agency cyber weapons toolkit – has since been determined to be an entirely new type of malware dubbed “ExPetr.”
“Our analysis indicates there is little hope for victims to recover their data,” a statement from Kaspersky Lab said. “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”
The problem lies with the new malware’s inability to obtain the installation ID needed for decryption.
“In previous versions of ‘similar’ ransomware (like Petya/Mischa/GoldenEye) this installation ID contained the information necessary for key recovery,” the statement from the security software vendor explained. “ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption.
“In short, victims could not recover their data.”
This week’s attack marked the second time in as many months that hackers crippled networks by locking computers and demanding $300 ransoms.
Last month’s WannaCry ransomware campaign resulted in more than 200,000 attacks in more than 150 countries, enabled by successful spear-phishing and unpatched Windows operating systems.
The ensuing rush to update Windows might have facilitated the latest attack.
“The most significant discovery to date is that the Ukrainian website for the Bakhmut region was hacked and used to distribute the ransomware to visitors via a drive-by-download of the malicious file,” Kaspersky officials said. “To our knowledge no specific exploits were used in order to infect victims.
“Instead, visitors were served with a malicious file that was disguised as a Windows update.”
Who would commit such an attack and why remained an open question today.
Matt Suiche, founder of cyber security firm Comae Technologies, suggested the campaign appears designed to conceal a state-sponsored attack against Ukraine.
That country was hardest-hit by the malware, which targeted power companies, airports, banks, state-run television stations, postal facilities and large industrial manufacturers.
“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Suiche told The Hacker News.
Decrypting the data would have been problematic nonetheless, because the German email service provider cited by the hackers in ransom instructions cut off the cyber criminals’ access to the account shortly after the attacks began.
Thus, even victims who paid the bitcoin ransom would not have been able to email proof or obtain decryption keys.
Kaspersky Lab offers the following advice to network administrators: “Use the AppLocker feature of Windows OS to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.”
Send tips and news to MSPmentorNews@Penton.com.