ILook Investigator Computer Forensics Software

IRS-CI Electronic Crimes


Infosec Companies Discover Connections between NotPetya ransomware and Power Grid Attacks in Ukraine


This is one of the most valuable resources for ILook users as it contains a forum for ILook help and tips


ILook v8

List Serve


Supporting Agencies

Several cyber security companies presented their reports that tie the NotPetya ransomware outburst to a cyber-criminal and espionage team famous for a great deal of past attacks like the one on Ukraine power grid in late 2015.

The gang behind the above-mentioned episodes was active since 2007. It is known after several names: BlackEnergy, Sandworm, and as of late TeleBots.

In spite of being infamous for making use of a Windows vulnerability CVE-2014-4114 against NATO in 2014, the gang is primarily recognized for a couple of things: cyber strikes against critical infrastructure and their current concentration on Ukrainian targets. Although the grouping originally looked for victims all over the world, in 2014, they began concentrating mainly against Ukraine, soon after Russia ceased the Crimean Peninsula.

The group typically attacks SCADA systems by means of a malware type called BlackEnergy. The most famous attack was the power blackout triggered across western Ukraine on Christmas 2015. The team additionally attacked the Ukrainian banks, airports, railroad, media organizations, and mining sector.

A single unique malware connected with this gang is KillDisk. This malware was made to ruin contaminated computers thus enabling significant industrial damage.

In late 2016, experts disclosed the KillDisk malware variants that included a ransomware module.

Lately, the gang upgraded the ransomware module with a ransom note and started to ask a ridiculous sum of money 222 BTC. This massive ransom requirement implies that hackers in no way focused on cash or anticipated victims to pay. The same was also said about NotPetya.

The report made public by ESET states they found proof that the grouping is behind most of the latest customized ransomware types which have focused on Ukraine. Common systems and |communications mechanisms, tactics, and procedures uncover links between past Sandworm / BlackEnergy / TeleBots attacks and several ransomware breakouts including Win32/Filecoder.NKH, XData, NotPetya.

And all these three ransomware episodes were particularly directed at Ukrainian victims, in accordance with the group's earlier goals proving to be part of a bigger operation directed at sabotaging Ukrainian businesses and markets.

Previously, several security companies have connected the Sandworm / BlackEnergy / TeleBots team to Russian cyber war strategy. John Watters from FireEye in his article in Financial Times said he is confident that Russia was behind the NotPetya outburst.

Ukrainian authorities have also accused Russia of the NotPetya incident. NATO did not blame Russia directly but it declared a state actor player was behind the assaults.

© Copyright 2006.