The security experts revealed that the malicious NotPetya attack from last week might have been related to the same cyber gang which had used the BlackEnergy malware family in the recent attacks against Ukraine.
At first, the experts thought that it was a ransomware incident, however, as the virus has employed the same distribution tools as WannaCry, NotPetya turned out to be a disk wiper whose main purpose was damaging computers. Just like the WannaCry ransomware, NotPetya hits Windows 7 systems mostly.
The NotPetya malware has infected computers in more than 65 countries so far, though most of its victims are based in Ukraine. According to Microsoft, of a total of less than 20,000 systems infected by NotPetya (also referred to as exPetr, GoldenEye, PetrWrap, and Diskcoder.C), more than 70% are located in Ukraine.
The reason why Ukraine was hit the most by NotPetya was found last week. It was due to the fact that the attack was probably launched by the same cyber gang which initiated many other malware attacks against the Ukrainian government organizations, the mining and railway systems, and the country’s power grid.
The threat group is called TeleBots, which was previously referred to as BlackEnergy or Sandworm Team. Among the tools associated with the cyber gamg is the KillDisk wiper which was packing ransomware capabilities lately, demanding a 222 Bitcoin ransom from its victims.
Experts from Kaspersky Lab and ESET have found that the NotPetya sample which was used in the last week’s attack, had many similar features with the KillDisk and the BlackEnergy malware families.
Also, according to Kaspersky Lab, the list of targeted file extensions in the NotPetya virus shows similarities to the list in a wiper used by the gang in 2015. As the list have something in common in composition and formatting, this suggests a possible connection.
The Yara rule created by Kaspersky Lab during the analysis states that “fires on BlackEnergy and ExPetr samples only” when run on the extensive malware collection of the company. According to the security researchers, when used alone, the strings used for creating the Yara rule can generate false positives, however, “when combined together in this fashion, they become very precise.”
“Of course, this should not be considered a sign of a definitive link, but it does point to certain code design similarities between these malware families,” Kaspersky Lab states.
On the other hand, ESET looks much more confident of the connection between NotPetya and TeleBots, and the company suggests that this was the third major attack against Ukraine, launched by the cyber gang this year.
The ESET experts claim that the first attack was launched in March and had as final payload a ransomware family detected as Filecoder.NKH.
The second ransomware attack against Ukraine was launched in May, this time using a piece of malware known as XData (detected as Filecoder.AESNI.C). Five days into the attack, and 96% of the malware’s detections were in Ukraine.
On the next month, the threat group launched a third, more sophisticated ransomware attack against organizations in Ukraine. Borrowing code from last year’s Petya ransomware, the attackers created a wiper and started using NSA-linked SMB exploits to maximize spreading capabilities.
“However, unlike the original Petya ransomware, Diskcoder.C’s authors modified the MBR code in such a way that recovery won’t be possible. Specifically, the attacker cannot provide a decryption key and the decryption key cannot be typed in the ransom screen, because the generated key contains non-acceptable characters,” the ESET researchers say.