Who Is Behind Petya?

The main suspect behind the recent global ransomware attack is a hacking group with suspected ties to Russia and a history of launching destructive computer viruses, according to research conducted by Czech cybersecurity firm ESET.

The company has pegged the attack to a group known as Telebots or Sandworm.
“The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spear-phishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack,” writes Anton Cherepanov, a senior malware researcher with ESET, in a blog post. 
“The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities.”

While the spread of so-called PetrWrap or NotPetya turned into global news as thousands of computers were locked down by the virus, the incident plays into a larger and already established narrative of hackers repeatedly using wiper malware and defunct ransomware, code designed to destroy or effectively lock data, against targets in Ukraine.

Researchers have attributed some of these past attacks, which share certain commonalities with PetrWrap, to Telebots. ESET pointed to three separate incidents recently in a report that ties PetrWrap to previous Telebots’ exploits. Analysts discovered that PetrWrap carries code that aligns with the tactics, techniques, and procedures of the Russian hacking group. For example, in December 2016, Telebots launched an operation to spread ransomware in Ukraine that similarly provided no avenue for victims to pay off the hackers, and which included KillDisk malware to destroy files. 

Instead of a ransom note with instructions displayed on affected computers’ screens, the malware offered a useless picture of a logo popularised by a television show.
“In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” ESET said of the December 2016 incident. 
“Putting the cart before the horse: collecting ransom money was never the top priority for the TeleBots group.”

Earlier this year, between January and March 2017, the same attack infrastructure was used to send more ransomware largely aimed at Ukrainian companies. In this incident, the malware offered a legible ransom note demanding an outrageous payment of $250,000 worth of bitcoin to unlock each computer.

Researchers believe that the lofty payment was a sign that the attack’s true intent was never financial. Notably, the January 2017 attack was able to spread inside localised computer networks by leveraging a pair of typically benign Microsoft system admin tools, named imikatz and SysInternals’ PsExec, for malicious purposes.

PetrWrap used these exact same tools, in addition to an NSA authored backdoor and exploit that was leaked to the public in April, to proliferate internationally. It’s believed that PetrWrap spread outside the country, because of VPN’s connecting of foreign businesses to, Ukrainian organisations.

Fit for Disruption 
Ukraine was the country hardest hit by PetrWrap, according to Kaspersky Lab. Evidence indicates that PetrWrap was engineered in such a way to specifically disrupt Ukrainian organisations and their affiliates. 

Experts are increasingly warming up to the idea that a nation state was involved in the launch of PetrWrap because of the fact that the ransomware itself is coded in a manner that makes it clear the authors favored disruption over financial gain.
Researchers from Cisco and Kaspersky Lab found that an infected update from accounting software company MeDoc provided the initial infection vector. MeDoc’s use is mandated by the Ukrainian government. In the past, a possibly compromised MeDoc update server carried telltale signs of Telebots activity, according to ESET.
“We identified a malicious PHP backdoor that was deployed under medoc_online.php in one of the FTP directories on M.E.Doc’s server,” ESET’s report notes. This server previously sent out a VBS backdoor that has been linked to TeleBots. The finding is significant because it underscores the fact that Telebots is familiar and capable of sending malware through MeDoc’s infrastructure.

After initially pushing back against claims that it’s software was responsible for a global ransomware outbreak, MeDoc stated that it is now conducting an investigation into the matter. Ukrainian police and the FBI are said to be involved.

Cyberscoop:

You Might Also Read:

Ukrainian Security Call in FBI, NCA & Europol:

Fallout From Petya On Global Shipping:

Ukraine Police Trace Petya Attack Source:
 

« Are Corporate Cyber Defenses Adequate?
Biometric Products Can Help Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN) is a not for profit group of professionals in the field of Information Security in Nigeria and Diaspora.

Secardeo

Secardeo

Secardeo is a provider of corporate solutions using digital signatures and certificates. Our solutions enable the user transparent end-to-end encryption of e-mails between organizations.

Crossword Cybersecurity

Crossword Cybersecurity

We work with research intensive European university partners to identify promising cyber security intellectual property from research that meets emerging real-world challenges.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

Hypersecu Information Systems

Hypersecu Information Systems

Hypersecu Information Systems, Inc. is a solution provider dedicated to multi-factor authentication, public key infrastructure and software copyright protection.

AiCULUS

AiCULUS

AiCULUS is a global technology company that specializes in API security and Risk Management products.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

Syracom

Syracom

syracom is a consultancy firm specialized in development of efficient business processes. With our expertise and IT competence, we develop tailored solutions for customers in various industries.

Capital Network Solutions

Capital Network Solutions

Capital Network Solutions are a highly accredited managed IT services and consultancy provider, specialising in cyber security, infrastructure and communications.

Inversion6

Inversion6

Inversion6 (formerly MRK Technologies) is a cybersecurity risk management provider that offers custom security solutions.

Telit Cinterion

Telit Cinterion

Telit Cinterion is a global enabler of the intelligent edge providing highly secure IoT solutions, modules and services.

Francisco Partners

Francisco Partners

Francisco Partners provide capital, expertise, and support for growth-aspiring technology companies.

Code First Girls

Code First Girls

Code First Girls are on a mission to close the gender gap in the tech industry by providing employment through free education.

Kaine Mathrick Tech (KMT)

Kaine Mathrick Tech (KMT)

KMT deliver comprehensive cyber-first outsourced technology support and solutions that scale with your business.