WannaCry and ExPetr: Kaspersky Lab researchers conducted a comparative analysis of the two latest attacks with ransomware programs, which were performed in different modes and different goals.
However, both attacks have some similarities, showing signs of an emerging trend of disastrous targeted activity.
- Unlike previous catastrophic attacks with Wiper technologies, such as BlackEnergy and Destover in 2014, and Shamoon and StonedDrill in 2016-2017, which took place in a very methodical and destructive way, WannaCry and ExPetr were motivated - either for destructive activity or for some sabotage - remain unclear.
- There was the same delay of about two months for the delivery of worm-enabled variants: according to the first information about the goals, the development of WannaCry started in March, while ExPetr was held in April. But the ransomware / wiper itself was propagated much later in May and June respectively.
- The development of WannaCry was slow and practical, with scattered global goals, inconsistent profiles, and no attention to the Bitcoins collection: the attacker sent out a set of messages that encouraged users to pay the BTC in their wallet.
- ExPetr's development was steep, advanced and technically flexible, focusing on the software of organizations associated with Ukraine. However, ExPetr's attackers apparently did not return either with widespread messages or challenges for their goals, nor prolonged the incident by asking for Bitcoins to decrypt discs.
According to the researchers of Kaspersky Lab, the differences in the development of each ransomware show that the two attacks were not carried out by the same attacker.
But there are obvious similarities in both WannaCry and ExPetr tactics, which indicates the launch of new targeted APT attack activity behind the ransomware.
For more information, visit the specialistsite of Securelist.com.