No, Petya is NOT a Ransomware and Why it is a very big deal

Not a Ransomware

The Petya “ransomware” has caused incredible disruption at large firms in the United States and in Europe. Targeting first Ukrainian organizations, including government, state power supplier, telecom, banks, metro and airport system, the virus initial attack vector was pushed through an accounting software update. It was then spread through additional phishing campaigns, potentially to hide its true intended target.

Even the Chernobyl power plant was forced to move radiation-sensing systems to manual modes.

Several world renown firms were impacted, including the advertising firm WPP, Saint-Gobain, Mondelez, DLA Piper, AP Moller-Maersk, Heritage Valley Health System and many more.

Most articles and experts are referring to Petya as a Ransomware. It is inaccurate.

Petya simply masquerades as a Ransomware to hide its true intent. Destruction. It is designed to disable systems by destroying their data. Quite effectively, I might add.

A virus.

While some experts are stating that the attack’s payment mechanism seems too amateurish to have been carried out by serious criminals, I strongly disagree.

I believe this was their intent all along. While appearing to pursue a ransom, their real goal was to take down several Ukrainian critical infrastructure systems.

Masquerading as a ransomware was simply done to hide the virus’ true target – and the real actors behind it.

Clearly not a hacker group

Hacker groups usually have one main goal before anything else: make money. It is critical that a victim of a ransomware scheme gets his data back once the ransom is paid. Otherwise, word would spread that the hacker cannot be “trusted” causing future victims not to pay at all. Denying victims’ the return of their data could potentially end the era of the ransomware scheme, which has grown into a multibillion dollar market. Not returning data after payment is a violation of a very important code of ethics. Yes, you might be surprised but, even hackers have ethics… at least when it comes to their business and ensuring their livelihood remains prosperous.

Since the Petya virus was NOT designed to allow for data recovery, clearly, money wasn’t their objective. That points directly to a completely different type of hacker: nation state actors. Since they were specifically targeting Ukrainian’s systems and have done so quite successfully, we should be asking, “which nation is behind this attack?” I have a couple of ideas or at least one.

A new era for acts of war

While this might seem trivial, this ploy could be the beginning of a new era. An era where a nation can orchestrate a significant cyberattack, targeting critical infrastructure systems of another nation (an act of war), all while hidden behind the false pretenses of a “money seeking hacker group” - and worse, they might get away with it.

This is very significant on so many levels. This has implications domestically and for international relations. Our nation’s cyber agenda has to be taken more seriously (see my previous article “Make Cyber Great Again”).

Solutions

While it is always obvious to say that companies should have a better patch management system in place and train their employee against phishing attacks more efficiently, those solutions alone will never truly solve our malware problem.

I am fond of one additional solution that is being explored by the Department of Homeland Security S&T Cyber.gov Program: Application Isolation.

A couple of vendors have been leading this market. Some started several years ago but one might say it was too early for mass adoption.

Times have changed.

Application Isolation solutions run at the endpoint level and launch every application you run (Office, Browser Tabs, etc.) as a separate Micro-VM (Micro Virtual Machine). Should the user open a malware (even on purpose), that malware will only be able to infect the virtual machine of that isolated process and will not have access to the real machine’s files and actual system. This allows for a quasi-perfect segmentation and isolation. It might not be a silver bullet but it can certainly look like one to me.

It can certainly stop most of these malware and ransomware right in their tracks.

Please share with me your thoughts on these critical matters.

(Opinions expressed are my own.)