‘Wiper Malware’ in Global Attack Actually Destroys Data

Security experts now say the hacker campaign that struck infrastructure and businesses around the world this week was merely posing as a ransomware attack, and is actually designed to destroy target files.

Aldrin Brown, Editor-in-Chief

June 29, 2017

3 Min Read
Wiper Malware in Global Attack Actually Destroys Data

A malware strain at the center of this week’s global attack that crippled networks in multiple countries was not ransomware as first suspected, but rather a “wiper” that encrypts data and makes it unrecoverable, top cyber security experts now say.

The alarming revelation means the hacker campaign that struck Europe, the U.S., France, Italy, Germany and elsewhere since Monday, was merely posing as a ransomware attack and is actually intended to destroy target files.

What was originally believed to be a variant of the Petya ransonware – which was stolen last year from a National Security Agency cyber weapons toolkit – has since been determined to be an entirely new type of malware dubbed “ExPetr.”

“Our analysis indicates there is little hope for victims to recover their data,” a statement from Kaspersky Lab said. “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” 

The problem lies with the new malware’s inability to obtain the installation ID needed for decryption.

“In previous versions of ‘similar’ ransomware (like Petya/Mischa/GoldenEye) this installation ID contained the information necessary for key recovery,” the statement from the security software vendor explained. “ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption.

“In short, victims could not recover their data.”

This week’s attack marked the second time in as many months that hackers crippled networks by locking computers and demanding $300 ransoms.

Last month’s WannaCry ransomware campaign resulted in more than 200,000 attacks in more than 150 countries, enabled by successful spear-phishing and unpatched Windows operating systems.

The ensuing rush to update Windows might have facilitated the latest attack.

“The most significant discovery to date is that the Ukrainian website for the Bakhmut region was hacked and used to distribute the ransomware to visitors via a drive-by-download of the malicious file,” Kaspersky officials said. “To our knowledge no specific exploits were used in order to infect victims.

“Instead, visitors were served with a malicious file that was disguised as a Windows update.”

Who would commit such an attack and why remained an open question today.

Matt Suiche, founder of cyber security firm Comae Technologies, suggested the campaign appears designed to conceal a state-sponsored attack against Ukraine.

That country was hardest-hit by the malware, which targeted power companies, airports, banks, state-run television stations, postal facilities and large industrial manufacturers.

“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Suiche told The Hacker News.

Decrypting the data would have been problematic nonetheless, because the German email service provider cited by the hackers in ransom instructions cut off the cyber criminals’ access to the account shortly after the attacks began.

Thus, even victims who paid the bitcoin ransom would not have been able to email proof or obtain decryption keys.

Kaspersky Lab offers the following advice to network administrators: “Use the AppLocker feature of Windows OS to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.”

 

Send tips and news to [email protected].

Read more about:

AgentsMSPsVARs/SIs

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like