Just yesterday, a type of ransomware first identified as Petya, then subsequently named NotPetya or GoldenEye, started infecting about 2,000 machines across Europe, targeting both European and American companies. Though disguised as ransomware, the true purpose of the Petya malware called GoldenEye is thought to be the destruction of data, not a way to make money.
After a longer period of evaluation, security researcher Nicholas Weaver first discussed this possibility with KrebsOnSecurity: that Petya was likely a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”
Supporting research in a new security report from Comae Technologies’ Matt Suiche shows that this latest version of the Petya malware is not actually ransomware, but code written to deliberately destroy data. The bitcoin payment demanded for the decryption key was merely smoke and mirrors, he says:
“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.
Lately, the number of attacks against Ukraine increased from Power Grids being shut down to the car a top military intelligence officer exploding yesterday — the day Petya.2017 infected Ukraine.”
Although victims of this new attack are reported to have collectively paid the hackers the equivalent of $10,000 in bitcoins, some are saying that it is impossible to recover the data. As reported earlier, German email provider Posteo has already blocked the email ID required for payment confirmation, so victims have effectively been locked out, with no chance to recover their data.
If these reports are true, these hackers are far more sinister than the WannaCry hackers. Not only have they used the earlier attacks to pretend that they were after money, but they’ve effectively masked the true purpose of the attacks – to destroy key data belonging to companies operating in the Ukraine, the main target nation for the attack.
However, the attack seems to be widespread, with reports coming in from at least 65 different countries.
The big question now are: if their real target was the Ukraine, why are non-domestic companies like Maersk, Merck and Oreo being targeted? Is it a massive misdirection to hide the real objective? What is the need for such a huge cover-up, if the purpose was never to collect money in the first place? And what can affected users do to recover their data?
These questions also poke holes in prevalent cybersecurity practices around the world. Are they adequate enough? Are companies religiously taking backups of their data as a remediation measure against such attacks? Are enterprises putting themselves at unnecessary risk by not keeping their software up to date?
The Petya story is yet to play out in full, but even if some key questions are answered, there will be a big question mark hanging over the cybersecurity industry when the dust finally settles on NotPetya aka GoldenEye.