The NotPetya ransomware that hit thousands of computers last week likely was created and launched by state-sponsored attackers, according to a new analysis by security experts at NATO.
Based on the complexity and estimated cost of the operation, analysts at NATO’s Cooperative Cyber Defense Center of Excellence concluded that NotPetya either was the work of a government or an attack group working under government sponsorship.
“NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state. Other options are unlikely. The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation,” the analysis says.
NotPetya, also known as ExPetr, is a ransomware variant derived from the older Petya malware and began infecting machines in several European countries early last week. Although it’s identified as ransomware, NotPetya isn’t really designed to make any money. The payment mechanism for the ransom was poorly designed, and security researchers soon discovered that even if victims were able to pay the ransom, the attackers didn’t have the correct information to decrypt the victims’ data. Also, unlike most ransomware, NotPetya has some destructive capabilities as well, which sort of defeats the purpose of holding a user’s data for ransom.
“NotPetya was probably launched by a state actor.”
“Beyond encrypting files, this ransomware also attempts to overwrite the MBR [master boot record] and the first sector of the VBR. If the malware is run with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it overwrites the MBR of the victim’s machine,” Microsoft researchers said.
As a result, researchers have theorized from the early days of the NotPetya campaign that it was meant as something other than a money making operation. Like the WannaCry campaign before it, NotPetya uses exploit code for a vulnerability in the Windows SMB protocol implementation that was developed by the NSA and later stolen and published by the Shadow Brokers. NATO’s analysts said the use of this exploit code should be seen as a show of strength by the attackers behind it.
“NotPetya is a sign that after WannaCry, yet another actor has exploited vulnerability exposed by the Shadow Brokers. Furthermore, it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it,” said Lauri Lindström, researcher at NATO CCD COE Strategy Branch.
Experts at NATO in international law added that if the NotPetya campaign could be tied to an existing armed conflict, then governments that were affected by the attack could have a variety of response options available to them.
“As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures,“ said Tomáš Minárik, researcher at NATO CCD COE Law Branch.
CC By-nd license image from Utenriksdepartementet UD