Volodymyr Tsap is relieved.
None of the 30 clients SHALB, his Ukraine-based cybersecurity company manages, fell victim to the recent cyberattack that shut down much of the country, parts of Europe and the United States this week. Other Ukrainians weren’t so lucky. Ukraine’s banks, supermarkets, its international airport and government offices and more suffered severe network damage that IT specialists are still working to repair.
I asked Tsap who could have carried out the attack and he suspected Russia, as many other Ukrainian cybersecurity specialists have told media outlets. Earlier reports have referred to the virus as “Petya,” but experts are now labeling it “NotPetya” because it has a special code that automatically erases the Windows system’s Master Boot Record (MBR), according to hacker and Microsoft executive Matt Suiche.
Previous variants of the malware did allow for computer data to be recovered.
The Kremlin is being accused of deploying the malware, but Russian Presidential spokesman Dmitry Peskov called for cooperation against such attacks and dismissed “groundless accusations,” according to state-controlled TASS.
None of this convinces Tsap, as he feels the goal of NotPetya was designed to showcase weaknesses in the Ukraine’s cyber defense capabilities.
“They are trying to show that Ukraine’s security system is not good,” Tsap told me during a Skype interview. “And that means the government is not good. We can gain information from your government, your army, your stores, tax companies, anything. The main point of this attack isn’t only that they’ve shut down computers, it means they can have access to any data at any company or government or any Ukrainian.”
The actors programed the recent malware attack in a way that demanded $300 in bitcoins from victims. But the low figure suggests that chaos, or something else other than financial gain, was likely the main motivation, Vincent Weafer, senior vice president for McAfee Labs, told me.
“Other ransomware attacks used unique wallets per victim,” he said. “In this case, they tried to use one global bitcoin wallet which says, ‘Hmm. You probably weren’t thinking very strongly about that aspect of the attack.’”
Kaspersky Lab released a statement to Foxtrot Alpha stating there is little hope of victims to recover their data:
We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim’s disk threat actors need the installation ID. In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery.
ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.
One of the reasons Tsap believes he and his clients were spared was because they use Linux instead of Windows, though that Linux can also be compromised if network administrators do not respond to rising threats.
One Ukrainian cyberattack expert told WIRED that his firm has evidence hackers broke into networks of some Ukrainian victims months in advance before unleashing the virus:
“According to the obtained intermediate data of our analysis, our analysts concluded that the destructive effects in the infrastructures of the organizations studied were carried out with the help of [ransomware], but also with direct involvement of intruders who already had some time in the infrastructure,” writes ISSP forensic analyst Oleksii Yasinsky in an email to WIRED.
ISSP declined to provide more details about the evidence of those prolonged intrusions, but argues that the attackers’ techniques match the “handwriting” of previous attacks in 2015 and 2016 that Ukrainian president Petro Poroshenko has called acts of “cyberwar,” waged by Russia’s intelligence and military services. Yasinsky declined to name the exact Petya victims whose networks had shown those fingerprints, but he notes that they include one major Ukrainian bank and a critical infrastructure company.
It really doesn’t take a state actor to pull this off. Tsap said if he were asked to create a NotPetya-style attack, all he’d need are two security specialists and a couple of developers to work on it for a few mouths.
The bill: $100,000. That’s all. “It’s very cheap,” Tsap told me.
Jeremiah Grossman, chief of security strategy at SentinelOne, pretty much told me the same thing. Hackers need fewer and fewer resources to pull off attacks because the perpetrators aren’t always the original authors of the malware. Developers are selling their skills on the dark web and making money without having to take the risk of distributing the malware themselves.
“I’ve seen ransomware licenses rented for $20 or less,” Grossman told me. “While it is hard to say if that is the case this time, the answer to your question is ‘Not a lot.’”
Weafer said the code used for malware like the kind used yesterday is widely discussed and disseminated on the Dark Web, so a lot of actors likely have their prints on it.
“All the attackers need to do is pick up the elements that have been used successfully and modify and reuse them,” he said. “So, technically, all of these actors, whether it is a traditional or criminal element, can do it.”
The best way to protect yourself regardless of whether you’re a Ukrainian company or a regular Jane in New York City is to back up your data—especially offline.
“The ‘offline’ part is something many people often miss,” Grossman said. “Yes, backups will save you in a number of unfortunate circumstances including ransomware, but ransomware is also known to try and destroy backups. This occurs because it increases the chances of the extortionists getting paid. If you have backups on a USB key, offline disk, or something similar, you’re in a good place.”
Though this isn’t just a technical issue for Tsap. He knows how to prepare against cyberattacks, but he is convinced what happened yesterday has more to do with an overall war against Ukraine than anything else.
Why else would the one of the country’s top intelligence officers end up dead after the car he was in exploded? And why would the attack take place a day before a national holiday, when the nation’s best technical minds could possibly be caught off guard?
More attacks will come, Tsap believes. He suspects every two months. But he says Ukrainians will eventually get smarter about protecting their data. They’ll learn that protecting data is more important than the computer itself. It is all a matter of not backing down against the threat.
“Everything that doesn’t kill us, it makes us stronger,” Tsap said.