WannaCry and ExPetr: Kaspersky Lab researchers conducted a compreview analysis of two of recent attacks with ransomware programs, which were carried out in different modes of operation and for different purposes.
However, both attacks have some similarities, showing signs of an emerging trend of disastrous targeted activity.
- Unlike previous destructive attacks with Wiper technologies such as BlackEnergy and Destover in 2014, and Shamoon and StonedDrill in 2016-2017, which were carried out in a very methodical and destructive manner, the motivations of WannaCry and ExPetr – whether for malicious activity or some sabotage – remain unclear.
- There was the same delay of about two months for the delivery of worm-enabled variants: according to the first information regarding targets, WannaCry's development began in March, while ExPetr's took place in April. But the ransomware/wipers themselves spread much later, in May and June respectively.
- WannaCry's development was slow and hands-off, with scattered global targets, inconsistent profiles, and no caution στη συλλογή Bitcoins: ο εισβολέας έστειλε ένα σύνολο μηνυμάτων που ενθάρρυναν τους χρήστες να πληρώνουν το btc on wallet their.
- The development of ExPetr has been steep, advanced and technically flexible, focusing on software organizations associated with Ukraine. However, the ExPetr attackers apparently did not return with either widely disseminated messages or challenges to their targets, nor did they extend the incident by asking for Bitcoin transactions to decrypt disks.
According to the researchers of Kaspersky Lab, the differences in the development of each ransomware show that the two attacks were not carried out by the same attacker.
But there are obvious similarities in both WannaCry and ExPetr tactics, which indicates the launch of new targeted APT attack activity behind the ransomware.
For more information, visit the specialistsite of Securelist.com.