The Petya Virus: How It All Went

27 June 2017 could be called Ukrainian history’s “black cyber Tuesday”. On that day, the NotPetya (Petya.A, ExPetr) attack began, affecting almost all sectors in the country: communications, energy, banking, media, and transportation.

The Petya ransomware is far from the first test of the strength of Ukraine’s infrastructure. Such attacks have been attempted at least three times. The first two attacks didn’t take place on such a large scale, but were highly unpleasant: in late 2015, the BlackEnergy virus, targeting energy company “Ukrenergo”, led to blackouts in some areas. Exactly a year later, in December 2016, some commercial banks and the Ministry of Finance were targeted along with, once again, Ukrenergo.

But up to that point, nothing like this had happened.

What it was

Initially, Petya took the form of a file-encrypting virus which would subsequently demand a ransom. Hackers promised a decryption key to users who sent $300 worth of Bitcoins to their electronic wallet. However, these users received no code after transferring the funds, and decryption of the data remained impossible.

Some experts, having analyzed the hackers’ strategy, noted that ransomware doesn’t work that way; receiving the ransom funds was not the goal of this attack’s organizers. As time passes, there is more and more support for the belief that the NotPetya malware was only disguised as ransomware. Its main purpose was another: the destruction of information stored on affected computers’ disks. Based on this, the malware can be categorized as a wiper, rather than ransomware. The encryption-decryption story was there only to divert users’ attention.

There is also another version of the story. The alternate story argues that the attackers’ goal was to obtain control over all the infected computers, which would persist even after the removal of the virus and cleaning up of disks. In response to this, though, it can be observed that the method by which the attack was executed was too “loud”, attracting too much attention. A real spy would have attempted to gain a foothold, so to speak, on victims’ computers in the least noticeable way possible, without advertising the infection. Thus, an attempt to cause chaos in large organizations and companies, causing them material losses as well as damaging their image, seems more realistic.

How it got in and spread

One of the main infection vectors was the accounting software M.E.Doc, used for submission of reports and circulating electronic documents in a majority of Ukraine’s enterprises and organizations. An investigation carried out by Ukraine’s cybersecurity team showed that malicious code was injected into an update for the program. Thus, only the computers on which users downloaded the update were immediately infected. The malware then spread through corporate networks, including to machines on which the notorious M.E.Doc had not been installed.

This was possible because back in the spring of 2017, the attackers gained control of an account used by an employee of the developer (Intellect Service), thereby receiving access to the program’s source code.

An additional risk factor was the use of outdated software on the company’s server. That very server, in fact, went four years without being updated.

Another way the file-encrypting virus arrived on computers was through phishing emails that contained links which triggered a download of the malware.

After infection and a spontaneous reboot, access to these computers was blocked, and the files on their hard disks were encrypted. The virus damaged the master boot record, or MBR, leading to a complete inability to start the operating system.

Who was affected, and how

According to statistics, more than 70% of companies affected by NotPetya (Petya.A) are located in Ukraine. There were also infections reported in other countries: Germany, Russia, Italy. The malware even made it to the United States.

According to official data, the virus infected more than 12 million computers in Ukraine alone. Though this estimate seems excessively optimistic. In reality, it appears that the damage was much greater. For example, the former director of Microsoft in Ukraine, and now the deputy head of the presidential administration, believe that the virus affected 10% of all computers in the country in one way or another.

The ransomware managed to seriously complicate the lives of thousands of Ukrainians, including those whose computers were not directly affected by the attack. Some ATMs stopped working, there were problems with sending parcels and with ticketing services, and warehouses couldn’t send products to customers. This “mini-Armageddon” incident showed once again how dependent modern society is on all infrastructure elements working correctly and in a well-coordinated fashion—even a momentary loss of any one component can lead to chaos.

Among the victims of the attack are private and public companies in virtually all sectors. Lists of victims have already been published repeatedly in other sources, so there’s no sense in listing them here again. Worth noting, however, is that the attack affected many banks to varying extents (a rare exception being PrivatBank), as well as the Borispol airport, Ukrenergo, several major TV channels and online publications, Ukrpochta (the Ukrainian postal service), Ukrtelecom, and all three mobile network operators: Kyivstar, Vodafone, and Lifecell.

The list of “victimized” government agency computer systems (which is a very long list, by the way), can be seriously alarming. Heading the list are the National Bank, the Cabinet of Ministers, and—look at this!— the Ukrainian Cyber Police, which one would have expected to be at the forefront of cyber terrorism defense, and an example of the highest level of IT security.

There’s no guarantee that this is the end

Recent days have brought some positive news:

  • Ten days after the attack, the developers “cleaned” M.E.Doc’s code, and provided law enforcement with an update that removes the malware from the product. Developer Intellect Service’s site is once again online.
  • The Ministry of Defense announced the creation of cybersecurity units.
  • NATO will provide Ukraine with 1 million euros to be used in fighting cyber-threats.
  • Most of the affected companies have completely resumed normal work.

Does this mean we can relax and calm down? Alas, it does not. Next time, a new virus might choose to spread through a backdoor in another company and another piece of software. And the human factor, against which all security measures are powerless, hasn’t changed a bit. As in the case of M.E.Doc, when the malware spread to computers via phishing emails, users’ negligent actions continue to draw attention. All this started with the attackers seizing just one account, with the opening of just one email!

It is impossible to give anybody a 100% guarantee against a repeat of incidents similar to the 27 June one. Cyber-threats and cyberterrorism, unfortunately, are inevitable in the modern world. It’s impossible to guard against them completely. However, properly constructed security “perimeters”, so to speak, around all infrastructure targets essential to the country’s life, can significantly reduce the damage from future attacks.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

1 Comment

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This