Thursday, June 29, 2017

NonPetya: no evidence it was a "smokescreen"

Many well-regarded experts claim that the not-Petya ransomware wasn't "ransomware" at all, but a "wiper" whose goal was to destroy files, without any intent at letting victims recover their files. I want to point out that there is no real evidence of this.

Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.

But these things aren't evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.

The simplest, Occam's Razor explanation explanation is that they were simple mistakes. Such mistakes are common among ransomware. We think of virus writers as professional software developers who thoroughly test their code. Decades of evidence show the opposite, that such software is of poor quality with shockingly bad bugs.

It's true that effectively, nPetya is a wiper. Matthieu Suiche‏ does a great job describing one flaw that prevents it working. @hasherezade does a great job explaining another flaw.  But best explanation isn't that this is intentional. Even if these bugs didn't exist, it'd still be a wiper if the perpetrators simply ignored the decryption requests. They need not intentionally make the decryption fail.

Thus, the simpler explanation is that it's simply a bug. Ransomware authors test the bits they care about, and test less well the bits they don't. It's quite plausible to believe that just before shipping the code, they'd add a few extra features, and forget to regression test the entire suite. I mean, I do that all the time with my code.

Some have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn't true. While it's more sophisticated than WannaCry, it's about average for the current state-of-the-art for ransomware in general. What people think of, such the Petya base, or using PsExec to spread throughout a Windows domain, is already at least a year old.

Indeed, the use of PsExec itself is a bit clumsy, when the code for doing the same thing is already public. It's just a few calls to basic Windows networking APIs. A sophisticated virus would do this itself, rather than clumsily use PsExec.

Infamy doesn't mean skill. People keep making the mistake that the more widespread something is in the news, the more skill, the more of a "conspiracy" there must be behind it. This is not true. Virus/worm writers often do newsworthy things by accident. Indeed, the history of worms, starting with the Morris Worm, has been things running out of control more than the author's expectations.

What makes nPetya newsworthy isn't the EternalBlue exploit or the wiper feature. Instead, the creators got lucky with MeDoc. The software is used by every major organization in the Ukraine, and at the same time, their website was horribly insecure -- laughably insecure. Furthermore, it's autoupdate feature didn't check cryptographic signatures. No hacker can plan for this level of widespread incompetence -- it's just extreme luck.

Thus, the effect of bumbling around is something that hit the Ukraine pretty hard, but it's not necessarily the intent of the creators. It's like how the Slammer worm hit South Korea pretty hard, or how the Witty worm hit the DoD pretty hard. These things look "targeted", especially to the victims, but it was by pure chance (provably so, in the case of Witty).

Certainly, MeDoc was targeted. But then, targeting a single organization is the norm for ransomware. They have to do it that way, giving each target a different Bitcoin address for payment. That it then spread to the entire Ukraine, and further, is the sort of thing that typically surprises worm writers.

Finally, there's little reason to believe that there needs to be a "smokescreen". Russian hackers are targeting the Ukraine all the time. Whether Russian hackers are to blame for "ransomware" vs. "wiper" makes little difference.


We know that Russian hackers are constantly targeting the Ukraine. Therefore, the theory that this was nPetya's goal all along, to destroy Ukraines computers, is a good one.

Yet, there's no actual "evidence" of this. nPetya's issues are just as easily explained by normal software bugs. The smokescreen isn't needed. The boot record bug isn't needed. The single email address that was shutdown isn't significant, since half of all ransomware uses the same technique.

The experts who disagree with me are really smart/experienced people who you should generally trust. It's just that I can't see their evidence.

Update: I wrote another blogpost about "survivorship bias", refuting the claim by many experts talking about the sophistication of the spreading feature.

Update: comment asks "why is there no Internet spreading code?". The answer is "I don't know", but unanswerable questions aren't evidence of a conspiracy. "What aren't there any stars in the background?" isn't proof the moon landings are fake, such because you can't answer the question. One guess is that you never want ransomware to spread that far, until you've figured out how to get payment from so many people.


Vess said...

Things are... a bit more complicated.

First of all, Matt Suiche's claim is wrong. It is not a "wiper". Track 0 normally contains nothing of value besides the MBR (sector 0,0,1), so "wiping" 25 sectors there causes no damage.

Second, while the MFT is not decryptable, the encrypted files are decryptable, suggesting that the former problem is indeed just a bug. I mean, if you wanted to cause damage, why do your decryption-related work in half, instead of not at all? Besides, there are much more efficient, destructive, and difficult to discover and recover from ways to cause damage.

Furthermore, the author is known to have made bad blunders in the past. The very first version (Red Petya) used a shortened encryption key, which made the encryption trivially breakable.

There are, however, some suspicious things. The most suspicious one to me, is the fact that it contains no Internet-spreading code. What is the point of making a worm that doesn't spread over the Internet? Unless the point was hitting only Ukraine, via the hacked M.E.Doc update mechanism and infecting the entities that do business with the government (for whom using the M.E.Doc software is mandatory) and everybody else who got infected worldwide was just collateral damage caused by a way too interconnected world. (When your "LAN" is a Windows Active Directory spanning continents and you got an infection there, because some subsidiary of yours does business with the Ukrainian government, it doesn't really matter to you that the worm doesn't spread over the Internet.)

The second suspicious thing is that, according to F-Secure, the exploit-using part of the worm was constructed in February. Given that the Shadowbrockers released the exploits in April, and assuming that they are indeed Russian intelligence, this loans credibility to the notion that Russian intelligence had a helping hand, one way or another, in the creation of the worm.

That said, I agree with you that "idiot ransomware writer" is the most likely explanation, given the evidence we have.

MiW said...

I think I agree with the lack of evidence, but I currently believe the errors are intentional, and this does not fit with my model of 'idiot ransomware writer'.

* I have trouble believing that an organisation running a successful RaaS with Tor C2 and multisig wallets, and a newer generation, actually working rw (goldeneye) would 'downgrade' to a public mailbox in .de for such a high profile attack.

* I believe that whomever published this NotPetya is not Janus.

* Janus hinted on twitter that it might might be able to use their privkey for victims. I am guessing it may be the end of their current generation of malware if its leaked, so they don't wish to publish it.
* I can't see how this can be true if:

* indicates the victim id is random, and generated before the salsa key.

* If one were not able to replace the ECDH code themselves like in Petrwrap, wouldn't it have been more profitable to use the good cred and lateral code and simply subscribe the newer, better quality goldeneye bin from Janus for the real campaign?

* How did someone make this version? Did they carve and modify an old v2 bin? Did they get access to the source?

* If Janus were running a successful RaaS with goldeneye, why would they be selling their golden goose source?

* The lateral code seems well tested, yet the low level code is not? Seems like an impedance mismatch. They bother to hack into a software company to distribute it, but don't test a single decryption to see if the victim-id to salsa key decrypts correctly, thus ensuring continued payments.

* Mistakes with the crypto might limit your victims paying up, it seems trivial for the maldev to test that their implementation actually decrypts - apparently the whole point of the exercise.

* Weak algos are better than non-decrypting fake keys if you are in it for the money. Mistakes of cryptographic weakness can be explained by lack of experience, failing to test the thing works in the first place, thats something else.

* The kinds of ransom amounts we are seeing are not significant enough to be non-fungible. These could be tumbled and moved through alts on many exchanges before anyone was the wiser.

* SB moved their coins after 9 months when the auction ended. They must have considered it safe enough to move their 10.48

* Watch to see if WC or NotPetya coins are going to move. If they do, its bad rw. If they don't, its something else. lets see 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX in a few months

* A few BTC sitting unspent for years is a very powerful reminder of this incident

Vess said...

* Getting the average user to buy and send bitcoins is hassle enough. Getting him to aslo use Tor is additional hassle. Many ransomwares use the e-mail method to make it easier for the victims to pay.

* Whoever wrote this worm had the source code of GoldenEye. The thing is obviously compiled from a modified source. It is not patched, nor assembed from a disassembly, nor rewritten from scratch to look similar. The only exception is the Salsa code; it is not standard Salsa20; the initialization has been changed and with a hex editor - not by manual modification of the source. Maybe done as an afterthought on the executable.

* Janus was just trolling. He loves fame.

* Plenty of ransomware authors, including Janus, make horrible mistakes when implementing the crypto and don't bother testing their code.

* Yes, the user ID displayed at boot time is meaningless and, as a result, the MFT cannot be decrypted. However, the encrypted files can be decrypted. A slightly different ransom note is displayed for them.

reginald surict said...

Cool blog. That's a luck that I found it. Visit also this source to read spyera review.

Hulio said...

"authors test the bits they care about, and test less well the bits they don't"

Lots of technical folk seem to believe that encrypting/decrypting is the defining behavioral characteristic of ransomware. I disagree, in my view; the bit about effectively delivering a ransom note and successfully extracting the ransom is more indicative of a ransomware taxonomy.

If you look at ransomware strains like cerber - by the polish of the payment system/decryptor alone you'll notice that getting paid and extracting payment are clearly more important to the malware operator then spreading the ransom notes. If you look at other ransomware strains you'll notice that they may not even encrypt the files - on strain I analyzed just renamed filename extensions to break associations, another used a keyless XOR to "encrypt/decrypt" - These clowns still got paid, we can bash the malware on "sophistication" or “style” but this isn’t Olympic swimming, the operators got paid, didn't go to jail, and live to fight another day and that’s what makes a successful ransomware operator.

The weak payment extraction system Petya/not-Petya/WannaCry SHOULD raise questions in our minds about the intent of operators. When it comes to intent, at some point you do need to leap from evidence to speculation. Are both of these strains ransomware amateur hour? If so what is bringing the amateurs into the game. If getting paid isn't a bit they care about, then "what are the bits they care about" is a damn good question. Fortune? Apparently not. Infamy? If that’s what they wanted they sure got it. Nation state goals? Very plausible, but those goals might have more to do with influencing global cyber negotiations, then simply bricking some devices…

You're spot on about this not being "evidence". The tin foil hatters and yellow journalists need more evidence to support their wild stories. So many cyber news outlets are copying and pasting poorly vetted or inaccurate malware analysis on these that we can't trust everything we read in the blogosphere.

But don't make the mistake of taking a contrarian viewpoint for the sake of being contrarian. The skepticism about the attackers motivations is justified by the evidence - that evidence just isn't strong enough to draw solid conclusions about intent.

Unknown said...

Do you know that you can hack any ATM machine !!!

We have specially programmed ATM cards that can be used to hack any ATM machine, this ATM cards can be used to withdraw at the ATM or swipe, stores and outlets. We sell this cards to all our customers and interested buyers worldwide, the cards has a daily withdrawal limit of $5000 in ATM and up to $50,000 spending limit in stores. and also if you in need of any other cyber hacking services, we are here for you at any time any day.
Here is our price list for ATM cards:
$10,000 ------------- $650
$20,000 ------------- $1,200
$35,000 --------------$1,900
$50,000 ------------- $2,700
$100,000------------- $5,200
 The price include shipping fees,order now: via you can also call or whatsapp us with this mobile number..+2348114499350

Anonymous said...

There is no pleasure in being poor, you have to be competittive change your financial status now with the help of the Blank ATM Card that has no trace or risk, it will give your life a meaning,withdraw up to $2500 daily,so you can be able to pay your billswith no need for a loan and provide for your family. This Blank ATM card is a programmed card that has the ability to break into any ATM machine in the world and rendering all CCTV useless when making withdrawal contact a reliable and dependable COMPANY today via email:

Unknown said...

BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast
you can be to get the new PROGRAMMED blank ATM card that is capable of
hacking into any ATM machine,anywhere in the world. I got to know about
this BLANK ATM CARD when I was searching for job online about a month
ago..It has really changed my life for good and now I can say I'm rich and
I can never be poor again. The least money I get in a day with it is about
$50,000.(fifty thousand USD) Every now and then I keeping pumping money
into my account. Though is illegal,there is no risk of being caught
,because it has been programmed in such a way that it is not traceable,it
also has a technique that makes it impossible for the CCTVs to detect
you..For details on how to get yours today, email the hackers on : (

visa guide said...

If Canada is your dreamland and you wish to obtain Immigration to Canada then you must possess certain required set of skills or qualification which will make you eligible to enter in Maple country. I recently found a good guy who is very co-operative and having a very high rate in providing successful immigration. Here is a useful link for you: