Following up on our post from yesterday, as an intellectual thought experiment, let’s take the position that there’s something to the idea of (Eternal) Petya not being motivated by money/profit. Let’s also just go ahead and imagine that it’s been developed by a nation state.
In my mind, it raises the following question: WTF WHY? Why build a tool such as (Eternal) Petya? Or as Andy put’s it in this post: if someone wanted to build a “wiper”, why build an almost functional ransomware?
First, having written/edited numerous malware descriptions over the years, I’m a really bit pedantic about proper categorization – so let’s be clear, (Eternal) Petya is not a wiper. A wiper is something such as Shamoon. (Eternal) Petya is almost fully functional ransomware, and the question is: what more is it? If this is a prototype, what is it moving towards?
Say you’re developing tools of (cyber) warfare…
How useful is an indiscriminate, scorched-earth tool? Sure, it would have it’s uses, and it’s probably the first thing that you would develop, but in the end, it’s a pretty blunt tool. Deploying any such tool with clear attribution only escalates the situation. Use it, and you’ve immediately crossed a line. The response is going to be very severe, and will probably be something in kind. Think something like mutual assured destruction (MAD) severe. A world of nothing but indiscriminate tools/weapons is limited (and very dangerous).
So what you need is a discriminating tool; something more refined. You want/need something that can remediate collateral damage; something that can take you up to a line, but not cross completely over it. Perhaps what you want is to “weaponize” encryption. That would allow you disable your adversary but put you in a position to negotiate another move.
There are undoubtedly already nations with cyber warfare tools that can cripple critical infrastructure without completely disabling/destroying it. Which is to say, their tools are far more precise and thus they can more easily be deployed without crossing over too many lines.
That makes for asymmetry. And if you’re a nation state trying to quickly close a gap, you might decide to test things in-the-wild. But you wouldn’t just test in-the-clear, you need some plausible deniability – and crypto-ransomware is very good deniability. If you want a tool that is effectively acts like a wiper, delay remediation – or simply don’t respond. And if your goal is something otherwise, your tool is reversible without having to (publicly) admit guilt.
End of thought experiment.
And of course, remember, it could just be ransomware in-development.
There's enough there to warrant further thorough investigation. (Either to confirm or debunk theory.)
— Sean Sullivan (@5ean5ullivan) June 30, 2017
Tagged: APT, Crypto, Petya, Ransomware, Th3 Cyb3r

Article Link: https://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-for-profit-eternal-petya/