Security Market Segment LS
Thursday, 29 June 2017 08:29

Not ransomware: Security firms change tack on massive attack Featured


Security firms have changed tack on the massive ransomware attack that hit Europe on Tuesday and spread to other countries, saying that it was intended to destroy data in specific locations and not to extort money.

Initially, all security companies united on calling the attack ransomware, with some saying the Petya ransomware was being used, while others said it only had some characteristics of Petya, but was otherwise different.

Now it appears that there is a further twist to the tale.

Researcher Matt Suiche who runs a company known as Comae Technologies in the United Arab Emirates, attempted to cast the blame on the media.

"The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon," Suiche said in a blog post published today.

He did not mention the fact that every security company of note, including his own, had called the causative agent ransomware.

In a post a day earlier, Suiche himself wrote: "Yes, this is bad  —  real bad  —  this is another ransomware leveraging SMB network kernel vulnerabilities to spread on the local network. The exploit used is based on EternalBlue, NSA’s exploit leaked by the Shadow Brokers in April, 2017. Similar to WannaCry. No kill-switch this time."

Trend Micro's vice-president of security research Rik Ferguson said the target of the attack appeared to be Ukraine.

"The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on Facebook)," he wrote.

"This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage."

Ferguson pointed to the fact that the malware was set to wait five days before triggering on 27 June, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also provided circumstantial weight to the proposition that the attack was targeted primarily at Ukraine.

"Some of the names of prominent global victims, WPP, Maersk and Saint-Gobain for example all have offices and operations in Ukraine and are likely users of MEDoc, some have even posted job ads for accounting specialists with MEDoc skills," he wrote.

"Also Rosneft, Russia’s state-owned oil company, although not necessarily corporate users of MEDoc, still have a presence in Ukraine and thus may be exposed to MEDoc within their network."

Ferguson said it looked as though this attack was "following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine and encompassing organisations and partners of organisations who have a presence in Ukraine".

Update, 30 June: Similar conclusions — that the malware was designed to destroy data, not extort money  — have been reached by two other security outfits, Kaspersky Lab and ESET.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments