Daily BulletinHoliday Centre

The Conversation

  • Written by Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
image

The WannaCry ransomware was barely out of the headlines when another cyberattack took down computer systems around the world.

This time, a piece of malware dubbed “NotPetya” is to blame. And unlike WannaCry, it has no clear “kill switch” as it spreads across infected networks.

NotPetya has reportedly hit several global organisations so far, including the American pharmaceutical company Merck and, in Australia, Cadbury.

The attack was initially classed as ransomware: malicious software that holds a user to ransom by encrypting their files and blocking access without a “key”. It was a reasonable assumption given the threatening message displayed to victims – but the picture is more complicated.

NotPetya is distinct from WannaCry in a number of important ways – particularly, money doesn’t seem to be its end goal.

1. It’s about disruption not profit

Unlike other ransomware incidents, NotPetya seems to be aimed at disruption rather than criminal profiteering (or perhaps just bad design).

First, the amount requested by the ransomers is relatively small – only US$300. This seems to place a low value on the loss of access that the malware causes.

Secondly, infected machines direct the user to make payment to one Bitcoin account. Users are also referred to a single email address to obtain the keys necessary to decrypt their data. Unfortunately, many users have now discovered that the email account has been closed by Posteo, the email provider.

This means that, even having made payment for the ransom, end users are unable to recover their data. Locking yourself out from your victims with a fixed address in this manner just doesn’t make good business sense.

This points either to amateurish implementation, or to the fact that NotPetya may have another purpose.

Some reports suggest the ransom demands may be a media lure to maximise public attention, while other researchers question whether recovery of encrypted data was ever possible.

In some circles, this attack has been classified as a “wiper” (in which data or even entire disks are deleted or modified beyond repair), but this is still to be firmly determined.

Whatever the case, if the perpetrators wanted to make money they have gone about it all wrong.

2. Ukraine seems to be the centre of the damage

Unlike WannaCry, which made headlines after it shut down the computer systems of British hospitals among other organisations, the largest number of NotPetya incidents have been reported in Ukraine.

The malware uses an “exploit” – a tool that can take advantage of a specific vulnerability on a computer – to remotely execute code on vulnerable Windows operating systems. This vulnerability, called MS17-010, was patched by Microsoft in March. The instances of compromised systems suggests that many organisations and individuals have failed to install the patch.

One possible explanation for high levels of non-patched systems could be the prevalence of pirated software in Ukraine.

Another distribution mechanism used by the malware appears to be a software updater linked to the Ukrainian tax accounting software, M.E.Doc.

While there is no clear evidence pointing to the perpetrators of this attack, its motivations could be political. Unlike WannaCry, NotPetya is seriously disrupting businesses rather than making money, or else is masking its other intentions.

3. It may not even be ransomware

While NotPetya uses an edited version of the same EternalBlue software exploit as the WannaCry ransomware to remotely run code on the victim’s Windows computer, it differs in many key ways.

Whereas WannaCry only encrypted certain files (typically users’ most important data), NotPetya also prevents access to the entire operating system. It does this by writing over key parts of the hard disk as well as encrypting users’ files.

Traditional encryption ransomware typically has a key available to recover your files. With NotPetya, there is no key to facilitate recovery (despite the promises shown on screen). There is evidence that the allegedly unique ID shown to the victim is actually random data that could never result in a decryption key being provided.

While it is still too early to provide a definitive analysis of this cyberattack, it is clear this is a new twist in online warfare.

The code has been carefully designed to take advantage of vulnerable systems while the user is duped into believing that it’s possible to recover their files. The ransomware distraction may have been a careful misdirection to hide the true intentions of the mayhem.

We can expect this trend to continue and that organisations (and individuals) need to be more proactive in keeping their operating systems up to date and their data backed up.

Authors: Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

Read more http://theconversation.com/three-ways-the-notpetya-cyberattack-is-more-complex-than-wannacry-80266


The Conversation

Politics

Keeping Australians safe at airports

The Morrison Government is increasing counter-terrorism measures across nine airports by boosting the Australian Federal Police’s capability to disrupt and deter high-risk-incidents.   Prime Min...

Scott Morrison - avatar Scott Morrison

Scott Morrison on Medivac

PRIME MINISTER: The Australian public are in no doubt about our Government’s commitment to strong borders. Our Government has always been consistent. The Liberal and National parties have always b...

Scott Morrison - avatar Scott Morrison

Government will protect religious freedoms by getting the law right

After further considering the hundreds of submissions that have been made to the Exposure Draft of the Religious Discrimination Act (RDA), the Government decided earlier this week to issue a revis...

Scott Morrison - avatar Scott Morrison

Business News

Working at Heights: Why the Risks of Occupational Accidents Still Fall on Builders

In most cities and towns, the construction industry is booming, and all you have to do is look around you to figure out why. In addition to new homes going up all around you, businesses are needed a...

Alertforce - avatar Alertforce

Media and Capital Partners spins out new agency arm Mojo Media

Media and Capital Partners, one of Australia’s leading investor relations and media relations consultancies, has spun out a new, fully integrated consumer, finance and technology PR agency called ...

Media Release - avatar Media Release

How to make your small business survive and thrive in 2020

There’s a global downturn and Australian bricks and mortar retail is in a slump. 2020 is going to be a rough year. Everyone knows that, but a lot don’t know what to do about it. Australia still h...

Dorry Kordahi - avatar Dorry Kordahi

Travel

To sell travel packages partner with Holiday Centre - Advertisement

If you are a travel or accommodation provider allow the travel professionals at HolidayCentre.com market your products.. With a business name like Holiday Centre, you can be sure that they will delive...

Holiday Centre - avatar Holiday Centre

6 travel tips you need to know before visiting Melbourne

People have always held Melbourne in high regard with it's numerous coffee stops, it's glorious art galleries, the food scene that can floor any curious palate. There's a unique multiculturalism i...

News Company - avatar News Company

Hertz DriveU

Hertz and Air France launch Hertz DriveU, a new high-quality, hassle-free airport transfer service Hertz DriveU “When you don’t want to drive!” The service is available at more than 300 airports...

Media Release - avatar Media Release

ShowPo