State Actors Are Likely Behind Recent Ransomware Attacks

COMMENTARY Cybersecurity

State Actors Are Likely Behind Recent Ransomware Attacks

Jul 26th, 2017 3 min read

Commentary By

Riley Walters

Research Associate

Mike Muller

Summer 2017 member of the Young Leaders Program at The Heritage Foundation

Emphasis should be placed on maintaining updated operating systems and a backup of networked data. iStock

Key Takeaways

Ransomware is a type of malware that locks computers until a ransom is paid.

In late June, Ukraine—along with at least 64 other countries, including the United States—was the victim of a ransomware attack from an unknown source.

The U.S. should continue to work with international partners to help locate the origin of these cyberattacks when possible.

Ransomware is a type of malware that locks computers until a ransom is paid.

This form of cyberattack has become the weapon of choice for cybercriminals, and presumably nation-states.

Whereas cybercriminals use ransomware to extract money, nation-states may be using ransomware as a means to test the United States’ cyber resiliency.

In late June, Ukraine—along with at least 64 other countries, including the United States—was the victim of a ransomware attack from an unknown source.

Experts originally noticed this new malware acted in a way similar to the malware known as Petya, but in a more advanced form. This advanced manifestation was soon creatively given the name “NotPetya.”

While Petya used phishing techniques to access victims’ networks, NotPetya used worm capabilities similar to a ransomware attack seen earlier this year known as WannaCry. This means NotPetya and WannaCry were able to “self-propagate” over multiple networks within a closed system.

NotPetya would build a list of IP addresses within the local area network that enabled its automated expansion.

As written previously in The Daily SignalNotPetya seemed to focus its attack against those within Ukraine, as it embedded itself in software used primarily in Ukraine.

NotPetya targeted similar infrastructure, such as energy infrastructure, to that of a cyberattack on Ukraine in 2016. The sources of either attack have not yet been identified, but seem to fit quite well into Russian cyberstrategy.

Although NotPetya is considered ransomware, it lacks an important aspect: the incentive to pay the ransom. This is lacking because NotPetya and its developers lack the capability to remove the encryption off files after payment.

NotPetya presents itself less like ransomware and more like a cyberattack disguised as ransomware.

Even so, over $13,000 in bitcoin was paid in ransom from the initial attack.

WannaCry, a virus associated with North Korea-associated hacker group Lazarus, affected over 300,000 people in Europe—including the United Kingdom’s National Health Service—to the United States.

The WannaCry virus displayed similarities linked to the hacking group Lazarus, which attacked Sony in 2014.

There were also other causes to suspect these were not average ransomware hackers: WannaCry and NotPetya sought only $300 to unlock computers, while the average ransom is over $1,000.

It makes sense for a nation-state to use ransomware as a façade. Per the Version cybersecurity report, ransomware is continuing to become one of the most common forms of crimeware.

Ransomware attacks are now appearing paired with other forms of cyberattacks. They may simply be, at this point, the easiest way for nation-states to test or gather information from our networked systems.

There are seldom few actions the U.S. can take to respond to ransomware attacks. For now, emphasis should be placed on maintaining updated operating systems and a backup of networked data.

The U.S. should continue to work with international partners to help locate the origin of these cyberattacks when possible, and use both traditional law enforcement mechanisms along with cyber capabilities to fight cybercrime.

This piece originally appeared in The Daily Signal