Ransomware attack is cover for something far more destructive

The GoldenEye attack wasn’t aiming at your wallet. It was trying to destroy your data.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
James Martin/CNET
Watch this: Nasty Petya ransomware spreading fast

As odd as it sounds, the ransomware attack that swept across the world over the past few days wasn't about the money.

GoldenEye, also known as NotPetya, swarmed computers on Tuesday, locking up devices at multibillion-dollar companies including FedEx, Merck, Cadbury and AP Moller-Maersk.

Combined, these four companies are worth about $130 billion -- big targets with fat wallets. You'd think the hackers would ask for more than $300 per hijacked computer.

But now experts believe nation-state attackers are using ransomware as a screen, tempting victims to blame faceless hackers instead of the countries allegedly behind the attacks. The real goal was to get at and destroy data.

The revelation is a surprising new aspect of an escalating cyberwar between countries that has already compromised infrastructure, elections and businesses. North Korea leaked Sony emails in a display of power, hackers shut down Ukraine's power grids during a conflict with Russia and the US is still reeling from Russian interference in the 2016 presidential election.

Using ransomware as a cover for national attacks has serious implications not just for governments. Innocent people end up in the crossfire of these massive cyberattacks. Whether it's hospitals, universities, supermarkets, airports or even a chocolate factory in the firing line, the mess eventually trickles down to you. It could mean not being able to get your medicine because Merck's data is compromised or having flights grounded at a hacked airport.

"Sabotage often has collateral damage," said Lesley Carhart, a digital forensics expert. "Nothing new. Just digitized."

Enlarge Image

Researchers found a variant of the Petya ransomware called GoldenEye attacking systems around the world.


Flawed ransoming

The biggest tipoff that something was awry came from how the hackers planned to collect the ransom. The Posteo server shut down the email address that victims were supposed to use to contact the hackers, suggesting that aspect of the operation wasn't well thought out.

"If the authors of this malware's primary purpose was to make money, they certainly had the technical and strategic offensive skill set to successfully make way more than they did," Carhart said. "The actual 'ransoming' to get money was flawed and inefficient."

When a ransomware attack hit a South Korean web-hosting company earlier this month, the victims paid $1 million -- the largest known payout ever. Two days after GoldenEye hit, it had made only about $10,000.

The WannaCry attack, which struck last month, had reaped roughly $132,000 as of Wednesday.

GoldenEye the destroyer

Researchers from both Comae Technologies and Kaspersky Lab found that GoldenEye was a wiper, designed to destroy data. It used as its base a form of ransomware called Petya (hence the NotPetya name) to encrypt crucial files, steal login credentials and seize your hard drive, too.

Even though the ransomware promised you'd get your data back if you paid up, Comae founder Matt Suiche noticed that GoldenEye actually ended up destroying several blocks of data. The original Petya encrypted files, but there was always a way to reverse that, he noted.

Researchers from Kaspersky called this the "worst-case" scenario for the victims.

"I wouldn't be surprised if they're trying to shut down a couple of facilities that they're targeting," said Amanda Rousseau, a malware researcher at Endgame.

Petya ransomware cyber attack
Getty Images

GoldenEye started as an attack on a single organization, with the ransomware attaching itself to a software update for MeDoc, Ukraine's most popular tax-filing software. From that one victim, it spread to multibillion-dollar companies that were using it. (The companies all have branches in Ukraine.) About 60 percent of the attacks happened in Ukraine, according to Kaspersky Lab. GoldenEye, like WannaCry before it, used a technique from the National Security Agency to get into one PC and took advantage of Windows sharing tools to spread to every other computer on the same network.

Ukraine has been rife with alleged cyberattacks from Russian state-sponsored hackers, as a testing ground for global hacks on major infrastructure.

Beyond Ukraine, the collateral damage continues after more than 200,000 computers around the world were infected. The attack showed hackers don't even have to target countries directly to get the job done.

If they can attack companies and infrastructure that help everyday life run smoothly, they've won.

"It's the equivalent of shutting down your power," Rousseau said.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.