Daily BulletinDaily Bulletin

The Conversation

  • Written by Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
image

The WannaCry ransomware was barely out of the headlines when another cyberattack took down computer systems around the world.

This time, a piece of malware dubbed “NotPetya” is to blame. And unlike WannaCry, it has no clear “kill switch” as it spreads across infected networks.

NotPetya has reportedly hit several global organisations so far, including the American pharmaceutical company Merck and, in Australia, Cadbury.

The attack was initially classed as ransomware: malicious software that holds a user to ransom by encrypting their files and blocking access without a “key”. It was a reasonable assumption given the threatening message displayed to victims – but the picture is more complicated.

NotPetya is distinct from WannaCry in a number of important ways – particularly, money doesn’t seem to be its end goal.

1. It’s about disruption not profit

Unlike other ransomware incidents, NotPetya seems to be aimed at disruption rather than criminal profiteering (or perhaps just bad design).

First, the amount requested by the ransomers is relatively small – only US$300. This seems to place a low value on the loss of access that the malware causes.

Secondly, infected machines direct the user to make payment to one Bitcoin account. Users are also referred to a single email address to obtain the keys necessary to decrypt their data. Unfortunately, many users have now discovered that the email account has been closed by Posteo, the email provider.

This means that, even having made payment for the ransom, end users are unable to recover their data. Locking yourself out from your victims with a fixed address in this manner just doesn’t make good business sense.

This points either to amateurish implementation, or to the fact that NotPetya may have another purpose.

Some reports suggest the ransom demands may be a media lure to maximise public attention, while other researchers question whether recovery of encrypted data was ever possible.

In some circles, this attack has been classified as a “wiper” (in which data or even entire disks are deleted or modified beyond repair), but this is still to be firmly determined.

Whatever the case, if the perpetrators wanted to make money they have gone about it all wrong.

2. Ukraine seems to be the centre of the damage

Unlike WannaCry, which made headlines after it shut down the computer systems of British hospitals among other organisations, the largest number of NotPetya incidents have been reported in Ukraine.

The malware uses an “exploit” – a tool that can take advantage of a specific vulnerability on a computer – to remotely execute code on vulnerable Windows operating systems. This vulnerability, called MS17-010, was patched by Microsoft in March. The instances of compromised systems suggests that many organisations and individuals have failed to install the patch.

One possible explanation for high levels of non-patched systems could be the prevalence of pirated software in Ukraine.

Another distribution mechanism used by the malware appears to be a software updater linked to the Ukrainian tax accounting software, M.E.Doc.

While there is no clear evidence pointing to the perpetrators of this attack, its motivations could be political. Unlike WannaCry, NotPetya is seriously disrupting businesses rather than making money, or else is masking its other intentions.

3. It may not even be ransomware

While NotPetya uses an edited version of the same EternalBlue software exploit as the WannaCry ransomware to remotely run code on the victim’s Windows computer, it differs in many key ways.

Whereas WannaCry only encrypted certain files (typically users’ most important data), NotPetya also prevents access to the entire operating system. It does this by writing over key parts of the hard disk as well as encrypting users’ files.

Traditional encryption ransomware typically has a key available to recover your files. With NotPetya, there is no key to facilitate recovery (despite the promises shown on screen). There is evidence that the allegedly unique ID shown to the victim is actually random data that could never result in a decryption key being provided.

While it is still too early to provide a definitive analysis of this cyberattack, it is clear this is a new twist in online warfare.

The code has been carefully designed to take advantage of vulnerable systems while the user is duped into believing that it’s possible to recover their files. The ransomware distraction may have been a careful misdirection to hide the true intentions of the mayhem.

We can expect this trend to continue and that organisations (and individuals) need to be more proactive in keeping their operating systems up to date and their data backed up.

Authors: Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

Read more http://theconversation.com/three-ways-the-notpetya-cyberattack-is-more-complex-than-wannacry-80266

Asylum or economic opportunity? The mixed messages in Australia's new Hong Kong visa options

arrow_forward

How to Choose a Reliable Long Distance Moving Company

arrow_forward

The Conversation
INTERWEBS DIGITAL AGENCY

Politics

Prime Minister Interview with Ben Fordham, 2GB

FORDHAM: Thank you very much for talking to us. I know it's a difficult day for all of those Qantas workers. Look, they want to know in the short term, are you going to extend JobKeeper?   PRI...

Scott Morrison - avatar Scott Morrison

Prime Minister Scott Morrison interview with Neil Mitchell

NEIL MITCHELL: Prime minister, good morning.    PRIME MINISTER: Good morning, how are you?   MICHELL: I’m okay, a bit to get to I apologise, we haven't spoken for a while and I want to get t...

Scott Morrison - avatar Scott Morrison

Prime Minister Interview with Ben Fordham

PRIME MINISTER: I've always found that this issue on funerals has been the hardest decision that was taken and the most heartbreaking and of all the letters and, you know, there's been over 100...

Scott Morrison - avatar Scott Morrison

Business News

Understanding Your NextGen EHR System and Features

NextGen EHR (Electronic Health Records) systems can be rather confusing. However, they can offer the most powerful features and provide some of the most powerful solutions for your business’s EHR ne...

Rebecca Stuart - avatar Rebecca Stuart

SEO In A Time of COVID-19: A Life-Saver

The coronavirus pandemic has brought about a lot of uncertainty for everyone across the world. It has had one of the most devastating impacts on the day-to-day lives of many including business o...

a Guest Writer - avatar a Guest Writer

5 Ways Risk Management Software Can Help Your Business

No business is averse to risks. Nobody can predict the future or even plan what direction a business is going to take with 100% accuracy. For this reason, to avoid issues or minimise risks, some for...

News Company - avatar News Company



News Company Media Core

Content & Technology Connecting Global Audiences

More Information - Less Opinion