The malware that hit many businesses around the world on 27 June—including Rosneft, Maersk, and the Chernobyl nuclear power plant—and was initially reported as ransomware, wasn’t. It was worse: a “wiper” disguised as ransomware. And many cybersecurity experts think it may have been an initial test run of a new concoction of crimeware.
A wiper erases data from victims’ computer drives, unlike ransomware which holds the data hostage until payment is made to the attacker. Kapersky Lab wrote that in late-2011, early-2012, reports emerged about computer systems that were compromised and rendered unbootable. The extent of the damage to these systems was so extensive that almost no data were recoverable. The malware was named “The Wiper,” and the term is now applied generally to crimeware with similar effects.
Weston Hecker, a principal application security engineer/principal penetration tester at NCR Corp. in Bismarck, North Dakota, and a member of Rampart, an invitation-only nonprofit group of vetted white hats (ethical computer hackers), said the malware was professionally made and originated from Eastern Europe, and struck hard in Ukraine, Russia, and Poland.
It appears to be a hybrid of WannaCry (ransomware that hit in mid-May) and Mimikatz, an open-source utility that enables the capture of credential information. Mimikatz steals network credentials and then infiltrates the whole network as an impersonator of legitimate users. A single infected system on the network processing administrative credentials is capable of spreading the infection to all the other computers.
Think of this hybrid’s creation as similar to genetic engineering. Bits of code are tweezed from WannaCry to take advantage of vulnerable IT systems and combined with bits of Mimikatz. Hecker said that this hybrid attack may have been released as a field test to determine its effectiveness and to ultimately use the outcome to increase its ability to penetrate and propagate. Once malware is deployed, the opportunity to learn from it exists and makes possible a more virulent and destructive version.
This attack did not appear to be made for financial gain. Although the attackers asked for USD 300 in digital currency Bitcoins to deliver the key to the victim that would decrypt the ransomed data, the technique was engineered to not work, making it unique from WannaCry in May. The email address that was provided to the victims to provide confirmation of the transaction was shut down.
Hecker said that attackers use email addresses connected to the dark web, an encrypted network. However, in this case, the criminals used the legitimate Internet and quickly got rid of the email address, making tracking of the IP address and the identification of other clues impossible.
The degree to which data are recoverable in this recent attack, which surfaced on 27 June, is not yet known. On 30 June, Maersk’s website remained limited to a posted message stating, “Progress is being made towards recovery and a more normalised state of business is expected by Monday, however it will take longer to restore all applications and workstations. Cargo is being moved in and out of ports almost everywhere around the world. Almost all ports within the APM Terminals global portfolio are operational. We are pleased to report that since yesterday, we have been able to reestablish business in our terminals in Algeciras, Tangier, Callao Lima, Mumbai, Itajai and Buenos Aires.”
The websites of Rosneft and state oil producer and refiner Bashneft were not functioning for part of 27 June, according to Russian news agency Tass. The oil company said it used backup systems to protect production.
The Chernobyl nuclear power plant in Ukraine, the site of a catastrophic meltdown in 1986, issued this statement: “In connection with the cyber-attack, the site of the Chernobyl nuclear power plant is not working. All technical systems at the station are operating normally. But due to the temporary disconnection of Windows systems, radiation monitoring of the industrial site is being carried out manually.”
Chernobyl indicated the disconnection of their Windows, an information technology (IT) system, took down their monitoring system. Edgard Capdevielle, CEO of Nozomi Networks, warned of the need for vigilance in operational technology (OT) and industrial control systems (ICS). “Critical infrastructure providers around the globe should redouble their efforts to ensure proper separation of their IT and OT networks and be actively monitoring their ICS environments and applying advanced anomaly detection systems so that they can detect and remediate any efforts to disrupt operations of ICS within their critical infrastructure.”
Kapersky Lab noted several trends in ransomware attacks. Ransomware actors are starting to devour each other, a sign of growing competition between ransomware gangs. The company’s geography statistics show that attackers switch to countries where users are not as well-prepared for fighting ransomware and where competition among criminals is less. The attacks are increasingly targeting businesses, where payment demands have been made for more than USD 500,000, instead of personal PCs.