It used to be so simple. Attack campaigns were relatively simple to determine, for example when we detailed the recent Shamoon campaign it was clear that this was intended to disrupt the victim. In this case the target was clearly Saudi Arabia, and the use of a wiper component indicated the objective of the perpetrators of the attack.
Equally the use of ransomware was just as clear, its use was intended to get paid. What we witnessed were these campaigns had been engineered to allow others without the necessary technical expertise to also engage in similar activities. With the availability of various dashboards that assist those to manage and track the number of infected systems.
Fast forward a few months and recent campaigns such as WannaCry, and Petya/NotPetya illustrate a deviation from the obvious objectives of previous attacks. Ask yourself a question, was Petya/NotPetya successful? As a ransomware campaign the answer would probably be no, since the revenue raised ($10,000) was so inconsequential compared to those which garnered only a fraction of infected victims and publicity. If the objective was to cause widespread disruption, well perhaps the answer will be very different with reports that some victims are still to restore full operations.
All too often the insatiable appetite for answers following a major campaign leads to the development of rapid conclusions with everything from: what is the objective of the attack? Who was compromised? Who did it?
In the case of WannaCry, our analysis questioning the true motive was the result of weeks of detailed analysis that questioned its true purpose. Indeed, the original objective of the research was initially to determine whether file recovery was possible (with file carving it is possible for recovery in certain conditions), but analysis raised more questions about its true purpose.
All too often the answer for the infosec community is ‘maybe/probably’ or the equally evasive ‘it depends’. Such responses are clearly inadequate when an attack disrupts the entire world, including media, friends, family and all are desperate for answers. However, attackers now have an arsenal of tools that can assist their ability to obfuscate its true purpose.
Is a DDoS attack intended to disrupt the victim? Or is it an attempt to make money with extortion as its primary objective? With the unwelcome introduction of such tactics, what is clear is that the need to collaborate and coordinate investigations between public and private sector is more important than ever.
One conclusion is clear though. The previous assumption that paying ransoms following an infection would likely result in attackers relinquishing control over victim data should now be a thing of the past.