Earlier this week computer systems around the world were hit by a piece of ransomware that appeared to be a new version of the Petya ransomware that first made the rounds in early 2016. However, security researchers discovered that this week's attack was not ransomware at all as it was not designed to make money.
There was a superficial resemblance to Petya but the real goal of Tuesday's attack was to spread fast and cause a lot of damage by permanently deleting data. Paying the Bitcoin ransom is pointless because there is no way to restore the data, the attack is a wiper. Most of the damage seems to have been caused in Ukraine.
We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.
The fact of pretending to be a ransomware while being in fact a nation state attack?—?especially since WannaCry proved that widely spread ransomware aren’t financially profitable?—?is in our opinion a very subtle way from the attacker to control the narrative of the attack.
ARS Technica notes the attack incorporated two exploits stolen from the NSA. Fully patched Windows systems are not vulnerable to the automatic attack.
In almost all other aspects, Tuesday's malware was impressive. It used two exploits developed by and later stolen from the National Security Agency. It combined those exploits with custom code that stole network credentials so the malware could infect fully patched Windows computers. And it was seeded by compromising the update mechanism for M.E.Doc, a tax-filing application that is almost mandatory for companies that do business in Ukraine. The shortcomings in the ransomware functions aren't likely to be mistakes, considering the overall quality of the malware.