Late Wednesday afternoon, with the global Petya virus at a halt but its damage lingering, the original creator of the now notorious malware appeared on Twitter for the first time in six months. “We’re back having a look in ‘NotPetya,’” he tweeted. “Maybe it’s crackable with our privkey.”
Janus, a name he lifted from a James Bond villain, began selling Petya to other hackers in March 2016. Like all ransomware, Petya was designed to hold a victim’s files hostage, then return them when a ransom is paid. After Janus’ debut, he experimented with different business models and briefly got attention as a kind of Robin Hood when he hacked a competitor and freed its victims. Then, in December, he went silent.
It’s not clear why he disappeared, but it’s obvious why he’s returned now. On Tuesday, a modified version of Petya caused major disruptions in Ukraine, bricking computers at a power company, multiple banks, and the Kyiv Boryspil International Airport. It ultimately spread to corporate networks in 64 other countries, according to Microsoft. Surgeries were canceled at two Pittsburgh-area hospitals hit with the virus. Computers at the pharmaceutical company Merck and the law firm DLA Piper were hit, along with a Cadbury chocolate factory in Tasmania. An infection at the Dutch shipping firm A.P. Moller-Maersk forced the closure of some container terminals in seaports from Los Angeles to Mumbai.
Janus, who was never shy about his authorship of Petya, would make an obvious suspect. He is the only one known to have the source code—the electronic blueprints—to Petya, according to a security expert who’s studied Janus’ work. “The source never leaked,” said the researcher, known professionally as Hasherezade. “It could have been sold, but I don’t think so.”
Janus’ Wednesday tweet, announcing that he’s examining the new code, is an implicit claim from an admitted cyber criminal that he didn’t commit this particular crime. Surprisingly, a number of computer security experts have reached roughly the same conclusion. Despite surface appearances, this week’s cyber attack almost certainly wasn’t the work of a profit-oriented hacker like Janus. Instead it was an electronic Molotov cocktail lobbed into Ukraine by an attacker who underestimated how far it would splash.
“It’s someone who wants to shut down Ukraine and make it look like ransomware,” said Matthieu Suiche, founder of of cyber-security provider Comae Technologies. “And like what happened back in December with the power grid, it’s a political motive.”
Ukraine has faced a plague of cyberattacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. Tuesday’s attack so far has been traced only to a Ukrainian company called M.E.Doc, which makes accounting software called MEDoc that’s used widely in Ukraine.
“The attackers hacked into the patch server of the company, so every time that a client in the field reached out for a software update, they ended up getting this malware in their network instead,” said Vikram Thakur, technical director at Symantec.
Once inside a corporate network, the malware used three methods to spread to other systems, including the same NSA attack used in the earlier WannaCry worm. Unlike WannaCry, though, Tuesday’s attack never hit the public Internet. Instead, it just hopped from one corporate network to another. Wherever a business connected its network to a corporate partner or contractor, the malware was able to travel.
In this way it eventually reached all around the world, even hitting computers in Russia. “We’ve seen infections in one side of Europe that initially didn’t seem to have any connection to business in Ukraine, but it turns out they had a subsidiary that was using the MEDoc software to keep their books,” Thakur said.
It’s possible, then, that an attack intended to harm Ukrainian businesses spread much further than even the attackers intended. What’s nearly certain is that it was never really a ransomware attack. The ransom demand was likely a smokescreen to hide the attacker’s purely destructive motives.
The evidence of that began piling up as soon as the first Ukrainian targets fell Tuesday morning. Security experts noticed that the malicious code was based on Petya but had been extensively modified—so much so that the antivirus firm Kaspersky has started calling the new version NotPetya.
Most of the modifications show the marks of a sophisticated engineering effort, except for the mechanism that lets victims pay the $300 ransom and get their files back. That part has been weakened. For starters, it relies entirely on a single inbox with a German webmail provider who, predictably, blacklisted the email address within hours of the attack’s inception. The real Petya handled the whole transaction over the DarkWeb.
Further proof came on Wednesday from researchers at Kaspersky. Petya and NotPetya both issue victims a unique alphanumeric code, a kind of electronic claim check they can use to recover their files after paying the ransom. In the original Petya, the code is mathematically tied to the encryption key holding the files hostage. In the new NotPetya, it’s just a bunch of random numbers. Whoever was behind the attack doesn’t have the ability to release anyone’s files, and they never did.
“Why would you modify a working version of that with something that was broken?” said Comae Technologies’ Suiche. “It doesn’t make sense.”
Petya was always about making money, and it was always well made. When it debuted for sale to hackers in 2016, it had one advantage in a field with dozens of new entrants every year. Instead of just encrypting files one by one, the malware encrypts the “master file table,” a tiny directory at the root of the hard drive that holds the whole file system together. Most ransomware locks your files in a vault; Petya locks the vault in another vault.
In Poland, the security researcher known as Hasherezade took an early interest in Petya and began dissecting the code, eventually drawing the attention of the malware’s mastermind. Though they were on opposite sides, she and Janus began a friendly banter on Twitter, where the hacker referred to her as “sweetheart” or “lovely analyst” but evinced respect for her work.
When Hasherezade posted slides from a detailed technical talk she’d given on Petya’s internals, in which she laid out methods to defeat the encryption in early versions of the malware, he complimented her. “Very objective and smart, cute whitehat,” Janus responded.
When he returned Wednesday after his prolonged disappearance, the hacker addressed Hasherezade again, telling her she was “sadly missed.”
“So, my favorite (threat) actor is back,” she responded. “I was waiting.”