The experts of digital forensics, Robert Lipovsky and Anton Cherepanov, have shared their insights on NotPetya Ransomware. The experts believe that there is an affiliation between BlackEnergy and NotPetya.
In 2015, the BlackEnergy malware shut down many parts of Ukraine. According to Lipovsky and Cherepanov, both NotPetya and BlackEnergy possess an identical tool called KillDisk encryption. This type of encryption is common in all the attacks of Telebots –– BlackEnergy’s owner cybercriminal group.
Experts explained that the final phase of Telebots’ attack consisted of the use of KillDisk tool, which was used to modify and apply overwriting on the files. During this process, the file extensions were also changed. Moreover, it was also found out that the cyber epidemic spread because of a backdoor that was installed by Telebots in the financial application known as M.E.Doc. M.E.Doc is extensively used in the corporate and governmental sectors in Ukraine for finance related operations.
Additionally, it was also found out that the 2016 power grid attack in Ukraine contained traces of code that tie it to the Industroyer –– a malware known to attack Industrial Control Systems. At that time, the connection could not be established. However, recently security analysts were able to find striking resemblances between all these attacks during a ransomware removal investigation. As a result, Telebots is positioned to be the mastermind of all the major cyber mayhem in Ukraine since 2015.
What’s more is that the latest virus created by Telebots, Win32/Exaramel, is another variant of Industroyer with a few more new features. When Win32/Exaramel enters a system, it duplicates files and applies encryption. Subsequently, the duplicated files are received by a command and control center. A Window service known as Wsmprovav that has a description of “Windows Check AV” is used as the dropper by the Win32/Exaramel. Experts theorize that depending upon its cyber defense system, a separate attack method is reserved for each victim.
