Posted on Thursday, June 29 2017 @ 11:24 CEST by Thomas De MaesschalckThere was a superficial resemblance to Petya but the real goal of Tuesday's attack was to spread fast and cause a lot of damage by permanently deleting data. Paying the Bitcoin ransom is pointless because there is no way to restore the data, the attack is a wiper. Most of the damage seems to have been caused in Ukraine.
We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.ARS Technica notes the attack incorporated two exploits stolen from the NSA. Fully patched Windows systems are not vulnerable to the automatic attack.
...
The fact of pretending to be a ransomware while being in fact a nation state attack?—?especially since WannaCry proved that widely spread ransomware aren’t financially profitable?—?is in our opinion a very subtle way from the attacker to control the narrative of the attack.
In almost all other aspects, Tuesday's malware was impressive. It used two exploits developed by and later stolen from the National Security Agency. It combined those exploits with custom code that stole network credentials so the malware could infect fully patched Windows computers. And it was seeded by compromising the update mechanism for M.E.Doc, a tax-filing application that is almost mandatory for companies that do business in Ukraine. The shortcomings in the ransomware functions aren't likely to be mistakes, considering the overall quality of the malware.
