Who Is Behind Petya?

The main suspect behind the recent global ransomware attack is a hacking group with suspected ties to Russia and a history of launching destructive computer viruses, according to research conducted by Czech cybersecurity firm ESET.

The company has pegged the attack to a group known as Telebots or Sandworm.
“The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spear-phishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack,” writes Anton Cherepanov, a senior malware researcher with ESET, in a blog post. 
“The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities.”

While the spread of so-called PetrWrap or NotPetya turned into global news as thousands of computers were locked down by the virus, the incident plays into a larger and already established narrative of hackers repeatedly using wiper malware and defunct ransomware, code designed to destroy or effectively lock data, against targets in Ukraine.

Researchers have attributed some of these past attacks, which share certain commonalities with PetrWrap, to Telebots. ESET pointed to three separate incidents recently in a report that ties PetrWrap to previous Telebots’ exploits. Analysts discovered that PetrWrap carries code that aligns with the tactics, techniques, and procedures of the Russian hacking group. For example, in December 2016, Telebots launched an operation to spread ransomware in Ukraine that similarly provided no avenue for victims to pay off the hackers, and which included KillDisk malware to destroy files. 

Instead of a ransom note with instructions displayed on affected computers’ screens, the malware offered a useless picture of a logo popularised by a television show.
“In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” ESET said of the December 2016 incident. 
“Putting the cart before the horse: collecting ransom money was never the top priority for the TeleBots group.”

Earlier this year, between January and March 2017, the same attack infrastructure was used to send more ransomware largely aimed at Ukrainian companies. In this incident, the malware offered a legible ransom note demanding an outrageous payment of $250,000 worth of bitcoin to unlock each computer.

Researchers believe that the lofty payment was a sign that the attack’s true intent was never financial. Notably, the January 2017 attack was able to spread inside localised computer networks by leveraging a pair of typically benign Microsoft system admin tools, named imikatz and SysInternals’ PsExec, for malicious purposes.

PetrWrap used these exact same tools, in addition to an NSA authored backdoor and exploit that was leaked to the public in April, to proliferate internationally. It’s believed that PetrWrap spread outside the country, because of VPN’s connecting of foreign businesses to, Ukrainian organisations.

Fit for Disruption 
Ukraine was the country hardest hit by PetrWrap, according to Kaspersky Lab. Evidence indicates that PetrWrap was engineered in such a way to specifically disrupt Ukrainian organisations and their affiliates. 

Experts are increasingly warming up to the idea that a nation state was involved in the launch of PetrWrap because of the fact that the ransomware itself is coded in a manner that makes it clear the authors favored disruption over financial gain.
Researchers from Cisco and Kaspersky Lab found that an infected update from accounting software company MeDoc provided the initial infection vector. MeDoc’s use is mandated by the Ukrainian government. In the past, a possibly compromised MeDoc update server carried telltale signs of Telebots activity, according to ESET.
“We identified a malicious PHP backdoor that was deployed under medoc_online.php in one of the FTP directories on M.E.Doc’s server,” ESET’s report notes. This server previously sent out a VBS backdoor that has been linked to TeleBots. The finding is significant because it underscores the fact that Telebots is familiar and capable of sending malware through MeDoc’s infrastructure.

After initially pushing back against claims that it’s software was responsible for a global ransomware outbreak, MeDoc stated that it is now conducting an investigation into the matter. Ukrainian police and the FBI are said to be involved.

Cyberscoop:

You Might Also Read:

Ukrainian Security Call in FBI, NCA & Europol:

Fallout From Petya On Global Shipping:

Ukraine Police Trace Petya Attack Source:
 

« Are Corporate Cyber Defenses Adequate?
Biometric Products Can Help Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ANS Group

ANS Group

ANS are a strong team of straight-talking tech and business experts. Our mission is to make digital transformation accessible to all.

EclecticIQ

EclecticIQ

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services.

IntSights

IntSights

IntSights is an intelligence driven security provider offering rapid, accurate cyberthreat intelligence and incident mitigation in real time

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

Cyber DriveWare

Cyber DriveWare

DriveWare analyzes new traffic in the I/O layer and blocks malware and cyber attacks which organizations have no means to protect against.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

Prevalent

Prevalent

Prevalent takes the pain out of third-party risk management. Companies use our services to eliminate the security and compliance exposures that come from working with vendors and suppliers.

Accolade Technology

Accolade Technology

Accolade provides the most technologically advanced host cpu offload, 100% packet capture FPGA-based PCIe adapters and 1U platforms available in the network monitoring and cyber security markets.

GM Security Technologies

GM Security Technologies

GM Security Technologies provides leading managed security services of the highest quality to every type of individual and organization in Puerto Rico, Caribbean and Latin America.

Nihon Cyber Defense

Nihon Cyber Defense

Nihon Cyber Defence’s mission is to provide robust solutions, services and support to governments, corporates and organisations in order to protect them from all forms of cyber warfare.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

oneclick

oneclick

oneclick is a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning.

Singular Security

Singular Security

Singular Security help public and private organizations minimize cybersecurity risk and pass their IT compliance audit.

Zitec

Zitec

One of Europe's largest and most prominent full-cycle software development services companies, Zitec is the digital transformation partner to companies in the EU, UK, USA, Canada and ME.

NANO Corp

NANO Corp

At NANO Corp, we keep your network visible, understandable, operational and secure with state-of-the-art technology.

Cyrex

Cyrex

Cyrex is a Web3 security and development company. Our mastery over decentralized applications, smart contracts and blockchain will keep you secure across Web3.