Ransomware turns even nastier: Destruction, not profit, becomes the real aim

Leaks and dumps are handing more tools for creating ransomware and other malicious software to cybercriminals.
Written by Danny Palmer, Senior Writer

Get used to global malware campaigns like Petya and WannaCry, because Pandora's Box has been opened and destructive cyberattacks like these are here to stay.

The WannaCry epidemic hit organisations around the world in May, infecting over 300,000 PCs and crippling systems across the Americas, Europe, Russia, and China.

The Petya outbreak followed a month later, mainly targeting organisations in Ukraine, but also infecting companies around the world. It didn't infect as many systems as WannaCry, but it came with additional destructive capabilities designed to irrecoverably wipe the computers it infected.

Hackers are already attempting to exploit the worm-like capabilities which made these two global attacks so successful in order to provide a boost to other types of malware -- and the problem is only going to get worse, researchers at Kaspersky Lab have warned.

"Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we've seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with," Kaspersky Lab's global research and analysis team said in its APT Trends report for Q2 2017.

Both WannaCry and Petya used a Windows security flaw known as EternalBlue to spread. The exploit was allegedly only previously known about by US intelligence services, who likely used it to carry out surveillance on targets before its existence was revealed by the ShadowBrokers hacking group.

The group has continued to release information about CIA hacking techniques and it's not hard to imagine that cybercriminal groups are eagerly working to discover how each release can be used to in order to help build the next WannaCry or Petya.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

While both initially spread under the guide of ransomware, those behind the two separate attacks didn't appear to be that interested in extorting Bitcoin ransoms -- although the actors behind WannaCry recently cashed out their earnings -- but rather causing as much chaos and destruction as possible. Indeed, many organisations hit by Petya still haven't fully recovered.

"While very different in nature and targets, both were surprisingly ineffective as 'ransomware'. For example, in the case of WannaCry, it's rapid global spread and high profile put a spotlight on the attackers' Bitcoin ransom account and made it hard for them to cash out. This suggests that the real aim of the WannaCry attack was data destruction," said the Kaspersky Lab report.

"The pattern of destructive malware disguised as ransomware showed itself again in the ExPetr [Petya] attack."

Researchers note that the exploitation of known vulnerabilities has been key to each of these attacks -- so users should ensure their systems are as patched and up to date as possible, in order to have the best chance of avoiding becoming a victim of the next big malware outbreak.

"As shown by many incidents, but especially by WannaCry and ExPetr's EternalBlue-based spreading subroutines, vulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance -- which, being one of the most tedious IT maintenance tasks, works much better with good automation," said Kaspersky researchers.

While the culprits behind the Petya attack currently remain completely unknown, security services have pointed to North Korea as the main suspect in the case of WannaCry.

Previous coverage

WannaCry masterminds get their Bitcoin payday three months after attack

Those behind the ransomware have finally made off with their ill-gotten gains.

Hackers are making their malware more powerful by copying WannaCry and Petya ransomware tricks

The group behind Trickbot is attempting to give its Trojan malware the self-spreading worm-like capabilities that have made recent ransomware attacks go global.


Editorial standards