Co-authored by Steve Stone.

After finalizing initial analysis, IBM X-Force Incident Response and Intelligence Services (IRIS) concluded that the Petya variant attacks that started on Tuesday, June 27, were intended as destructive attacks against Ukraine, rather than a means for cybercriminals to make money from ransom payouts. In other words, this attack was not focused on financial gain like the ransomware attack it was veiled to be.

Several pieces of evidence from our research suggest that the attacks were designed to permanently disable as many machines as possible and that the malware was, in fact, more characteristic of a “wiper” attack (intended to destroy data) rather than a ransomware attack.

IBM X-Force IRIS outlined this evidence in technical detail below. However, the main factor leading to this conclusion is that the Personal Installation Key provided on the lock screen instructions is randomly generated and incapable of relaying the information the attacker would need to provide the correct Advanced Encryption Standard (AES) decryption key.

Put simply, the information provided in the “ransomware” is not accurate or relevant to unlocking any affected machine. Additionally, the design of the attack suggests that it was carried out by a technically skilled group of cybercriminals, yet the execution of the ransomware and payment methodology showed little to no expertise or intent to produce financial gains.

Watch the on-demand webinar: An Incident Responder’s POV — Inside the Latest Petya Variant

Further analysis of impacted victims also led our team to conclude that this attack was specifically aimed at organizations within Ukraine:

  • IBM has data to confirm that MeDoc, the tax software specific to organizations doing business in Ukraine, was the initial vector for the attacks.
  • For all of the attack victims IBM security experts analyzed, the initial host machine infected was based in Ukraine.
  • The attackers also leveraged an element of Strategic Web Compromise, or “watering hole” attacks, in which the malware was hidden within compromised websites. The websites that were compromised in this attack were frequented by Ukrainian visitors versus a global audience.

Based on these factors, it’s clear that the Petya variant used in these attacks is not related to the traditional Petya malware in purpose or technical indication. Given this, we believe the attacks were executed by a separate group than the previous Petya attacks.

Additional technical analysis of this evidence is below.

Intent on Destruction

For victims of this attack, following the instructions on the ransomware’s lock screen does not provide the attacker with enough information to derive the recovery key needed to unlock files on impacted machines. This indicates that either the malware was deployed without testing, or the attacker was never serious about unlocking files for those that would pay the ransom.

Given that the attacker accomplished much more technical feats (automated lateral movement and ETERNALBLUE and ETERNALROMANCE propagation), IBM X-Force IRIS believes the attacker was not serious about unlocking files. We know that emailing the address specified by the attacker on the ransomware lock page results in a bounce message due to its shutdown by the provider. This tactic for payment verification is also uncommon and prone to shutdowns by the email provider.

Malware Is More Wiper Than Ransomware

June 30 Update: During our continued analysis, IBM X-Force IRIS researchers identified an additional encryption mechanism utilized by the malware. The MFT is encrypted using the Salsa20 algorithm, but the key is not stored anywhere on disk as-is or in encoded/encrypted format. The MFT encryption, plus the AES encryption of files targeted by the malware, put the odds of data recovery at zero even with access to the attacker’s RSA private key.

A wiper is characterized by unrecoverable file destruction, which is effectively what this new Petya variant accomplished.

IBM X-Force IRIS assessed the following destructive capabilities:

  • The malware overwrites the logical sector 1 of the C: drive.
  • It also writes a new loader code in physical sector 0, where the master boot record (MBR) is, and succeeding sectors of the physical drive where Windows is installed. The contents of the original MBR is encrypted via byte-wise XOR using 0x07 as the key and then copied to sector 34 of the physical drive. Note that the malware assumes 512 bytes per sector when performing this.
  • The malware restarts the machine at a later time by creating a scheduled task that will execute “%WINDIR%\System32\shutdown.exe /r /f.”
  • The loader code displays the following fake CHKDSK run when the machine is restarted.

  • After the fake CHKDSK run is finished, the system is again restarted and the following ransom message is shown:

IBM X-Force IRIS determined that, theoretically, there is a very narrow path to decryption for those who have access to the attacker’s RSA private key. The RSA private key could be used to decrypt an encrypted AES key present in the readme.txt ransom file. You would need to mount the drive on another system and copy over the infected files, then decrypt them with the unencrypted AES key. Note that only the attacker has access to the RSA private key, and the odds of it becoming public are unlikely (it would need to be released by the attackers themselves or someone who had compromised the private key).

For all intents and purposes, the odds of recovery are nearly zero.

Not Enough Info to Obtain Recovery Key

Files on victim machines are encrypted using a randomly generated AES key that is then encrypted using an RSA public key. The encrypted AES key is then stored as a base64 blob in a readme.txt ransom note created by the malware. The readme.txt contents are not accessible from the lock screen or after the MBR is patched by the malware.

Victims only get a few pieces of information from the lock screen:

  • A payment amount ($300);
  • A bitcoin wallet address;
  • An email address to verify payment; and
  • A Personal Installation Key.

The Personal Installation Key is randomly generated. This information is not enough to generate the system-specific AES encrypted or decrypted key. It is impossible for the attacker to provide the required information to unlock files on victim machines when provided with only the requirements on the screen lock page. It should be noted these problematic shifts are different from traditional Petya payment mechanisms, which proved successful in the past.

Victims All Suffered Due to Ukrainian Footprint

Finally, for all active cases that IBM Security is working, the impacted organization suffered due to a footprint in Ukraine. While this event was global in scale, IBM’s experience shows a global impact was produced due to the global nature of companies with assets in Ukraine versus genuine global targeting. In fact, “patient zero,” or the initial host for all impacted clients we investigated, were machines based in Ukraine. It is unlikely that financially motivated actors would limit their targeting — especially for a wormlike tool — to one region or country.

For additional technical details, see the live Petya Ransomware Campaign collection on IBM X-Force Exchange.

Explore the IBM X-Force Exchange Collection

This post was updated on June 30, 2017, to reflect the latest information.

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read