In 2016 a piece of malicious code was attached to a popular accounting package in the Ukraine. Although the publishers strenuously deny it, all the indicators point to the code being part of an update to Ukraine’s MEDoc accounting software package. This gave birth to the ransomware that came to be known as Petya. But is it really ransomware or are we seeing the first salvo of a true cyber-war?
First came the Wannacry ransomware that had a devastating effect, in terms of infecting systems. It relied on a single flaw to access computer systems. Once inside a system, it quickly spread to all the computers attached to that system. The code itself, was rather amateurish, with a simple kill switch (registering the domain it was looking for). However in hindsight, was it a test for what was to follow?
Next came the Petya ransomware. This spread in a similar manner to Wannacry but unlike Wannacry, it uses multiple flaws to get around computer security measures. This one is playing havoc with the Ukraine power grid and somehow jumped from there to some hospital systems in the USA.
Both of these were ransomware. They demanded a payment in Bitcoin. We assume the objective was for profit. The Wannacry ransomware was removed once confirmation of payment was received. So far we have no evidence that any system infected by the Petya ransomware, has been freed, once the money has been paid.
Now we have the next evolution – the “Not-Petya” or “Netya” ransomware. Like the Petya ransomware, this uses a variety of vulnerabilities to gain entry into a system. Once inside, it wreaks havoc by encrypting the files, like Petya and displays a ransom note. However, the Netya ransomware then attacks the master boot record (MBR), crashing the entire system, to the point where it will not start up at all – no more ransom note. This begs the question, if the ransom note cannot be displayed, was the goal really ransom?
If there is no way to make any payment, no ransom note and no master boot record to start the computer up, to the point where it can operate, then what was the purpose of the attack? Even if the MBR was repaired, the files are encrypted – unreadable.
Experts in several computer security companies agree that the Netya attack code was designed on a large budget. There are examples of repeated amendments to the code after trials. That is not usual where a single person or few hackers have collaborated. This looks like a larger group of very professional programmers, have spent a lot of time writing multiple exploits, for a wide range of vulnerabilities. If we are not looking at a small group on a tight budget, then we are looking at an organisation. There’s no demand for payment or any way to recover the files, so what was their aim?
The only option left, is cyber-war.
Let’s look at the evidence:
- The USA claims Russia hacked the emails of different election candidates to swing the votes in favour of Donald Trump, a self confessed friend of Vladamir Putin and therefore Russia. They claim to have evidence that points to Russia directly.
- The French claim to have evidence of Russian cyber tampering with their recent elections.
- The Petya and Netya ransomware first attacks appear in the Ukraine – a country at war with Russia, the perfect test bed for a cyber attack.
- There appears to be a progression of developments and tests leading up to the Netya ransomware. Not typical of a sole operator. Were these tests for Netya or is something worse coming?
- The code seems to be written by an organisation aiming to disable systems en masse, not for any financial gain.
Since writing this, the Netya attack has jumped from the Ukraine and USA to thousands of other systems in various countries, as far away as a chocolate business in Tasmania, Australia.