Early indications point to Sandworm hacking group for global ransomware attack

The hacking group has suspected ties to Russia and a history of launching destructive computer viruses, according to research conducted by Czech cybersecurity firm ESET.

The main suspect behind the recent global ransomware attack is a hacking group with suspected ties to Russia and a history of launching destructive computer viruses, according to research conducted by Czech cybersecurity firm ESET.

The company has pegged the attack to a group known as Telebots or Sandworm.

“The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spearphishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack,” writes Anton Cherepanov, a senior malware researcher with ESET, in a blog post. “The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities.”

While the spread of so-called ExPetr or NotPetya turned into global news as thousands of computers were locked down by the virus, the incident plays into a larger and already established narrative of hackers repeatedly using wiper malware and defunct ransomware — code designed to destroy or effectively lock data — against targets in Ukraine.


Researchers have attributed some of these past attacks, which share certain commonalities with ExPetr, to Telebots. ESET pointed to three separate incidents Friday in a report that ties ExPetr to previous Telebots’ exploits.

Analysts discovered that ExPetr carries code that aligns with the tactics, techniques, and procedures of the Russian hacking group. For example, in December 2016, Telebots launched an operation to spread ransomware in Ukraine that similarly provided no avenue for victims to pay off the hackers, and which included KillDisk malware to destroy files. Instead of a ransom note with instructions displayed on affected computers’ screens, the malware offered a useless picture of a logo popularized by a television show.

“In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” ESET said of the December 2016 incident. “Putting the cart before the horse: collecting ransom money was never the top priority for the TeleBots group.”

Earlier this year, between January and March 2017, the same attack infrastructure was used to send more ransomware largely aimed at Ukrainian companies. In this incident, the malware offered a legible ransom note demanding an outrageous payment of $250,000 worth of bitcoin to unlock each computer.

Researchers believe that the lofty payment was a sign that the attack’s true intent was never financial. Notably, the January 2017 attack was able to spread inside localized computer networks by leveraging a pair of typically benign Microsoft system admin tools — named imikatz and SysInternals’ PsExec — for malicious purposes.


ExPetr used these exact same tools, in addition to an NSA authored backdoor and exploit that was leaked to the public in April, to proliferate internationally.

It’s believed that ExPetr spread outside the country because of VPNs connecting foreign businesses to Ukrainian organizations.

Fit for disruption 

Ukraine was the country hardest hit by ExPetr, according to Kaspersky Lab. Evidence indicates that ExPetr was engineered in such a way to specifically disrupt Ukrainian organizations and their affiliates.

Researchers from Cisco and Kaspersky Lab found that an infected update from accounting software company M.E.Doc provided the initial infection vector. M.E.Doc’s use is mandated by the Ukrainian government. In the past, a possibly compromised MeDoc update server carried telltale signs of Telebots activity, according to ESET.


“We identified a malicious PHP backdoor that was deployed under medoc_online.php in one of the FTP directories on M.E.Doc’s server,” ESET’s report notes. This server previously sent out a VBS backdoor that has been linked to TeleBots. The finding is significant because it underscores the fact that Telebots is familiar and capable of sending malware through M.E.Doc’s infrastructure.

After initially pushing back against claims that it’s software was responsible for a global ransomware outbreak, M.E.Doc stated Thursday that it is now conducting an investigation into the matter. Ukrainian police and the FBI are said to be involved.

Experts are increasingly warming up to the idea that a nation state was involved in the launch of ExPetr because of the fact that the ransomware itself is coded in a manner that makes it clear the authors favored disruption over financial gain.

Ransomware typically works by encrypting files on a computer and locking access until a payment is received from a victim, but ExPetr effectively wipes data even before a target would have the chance to communicate with attackers.


Ukrainian security services appear to blame the Russian government for the ExPetr cyberattack, based on a statement published Friday by the Security Service of Ukraine.

Over the last year, private sector cybersecurity firms, including FireEye, Kaspersky Lab, ESET and Symantec, have highlighted multiple cases of destructive malware in the aftermath of data breaches affecting Ukraine. This kind of cyberattack is particularly rare and requires a level of sophistication typically reserved to a group with substantial resources, like a foreign intelligence service or highly paid contractor. Telebots is believed to be one such group.

In a statement sent to CyberScoop, a Symantec spokesperson said the firm was still working out attribution for ExPetr and as such, could not confirm the link to Telebots.

FireEye and Kaspersky Lab did not respond to a request for comment prior to this article’s publication.

Latest Podcasts