Petya.2017 virus aims to destroy data, not extort payment
Security experts who are analyzing the recent attack using Petya.2017 say it is not ransomware as initially believed, but a malware attack that wipes data from systems and thus more injurious than ransomware,
Three major healthcare data security firms—Comae Technologies, Symantec and Tom Walsh Consulting—are among others that have released guidance on the Petya.2017 virus affecting industries across the globe, including the U.S. healthcare system.
Petya.2017 is not designed to make money, according to a comprehensive primer by security experts at Comae Technologies. “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money.”
While victims of ransomware may eventually be able to recover their files, a wiper excludes possibility of restoration, the company warns.
With Petya.2017, a randomly generated key is used to encrypt a disk that can never be decrypted.
Gavin O’Gorman, a Symantec investigator, looks at the motive behind the attack using two theories—the first implies the attacker or attackers are technically able but not particularly smart. The criminals use a single bitcoin wallet and a single email account for contact, which is not the best way to get payment, according to the firm. “The email account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims,” he notes.
The second theory suggests that the motive could be disruption, particularly against multiple organizations in the Ukraine. Perhaps, O’Gorman says, the attack was never intended to make money, and non-Ukrainian organizations affected may have been unintentional. “There was no attempt to spread across the Internet by attacking random IP addresses,” he adds. “This attack was an ineffective way to make money, but a very effective way to disrupt victims and sow confusion.”
Likewise, Keith Fricke, partner at the Tom Walsh Consulting security practice, says the intentions of those behind this most recent version of Petya are not clear.
“Security professionals offering opinions tend to agree that this was intended to wipe data and not be ransomware in the traditional sense of the word. Perhaps these criminals are demonstrating their aggressive side and what havoc they can cause,” Fricke says.
To prevent these kinds of attacks, healthcare organizations should be implementing a “kill switch” for the malware on any PC having important files on it, Fricke advises.
“The biggest trick to know during a rebuild actually starts way before the rebuild,” he adds. “At first instance of infection of this Petya variant, organizations need to do several things expeditiously.” They include:
- Contain the spread of infection by checking the known vectors of attack and address any vulnerabilities.
- Check backup to see where the last successful ones took place.
- Monitor any data replication to ensure encrypted files aren’t being backed up.
Lastly, Fricke emphasizes the need for good backup management. “Given that no means of decryption exists, any files not backed up are lost,” he says.