The new Petya ransomware, or what is now preferably called the NotPetya ransomware, which created havoc by locking thousands of computers across the world on Tuesday and Wednesday, is not exactly a ransomware. It's more of a disk wiper created to damage computers, according to the conclusions of two separate reports from Comae Technologies and Kaspersky Lab.
Detailed analysis of the malware's source code revealed that it acts like a ransomware, but it cannot decrypt victims' files, even if they pay up the money. The findings also suggest that victims not getting their files back has nothing to do with the attacker's blocked email address. Even if victims would have contacted the hackers after making the payment, they still wouldn't have recovered their files.
Ransomware tools generate a unique installation ID for each infected computer to store information and the decryption key for recovery. In the case of NotPetya, the installation ID is invalid as it is generated from random data, making the decryption process impossible.
"What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive," Kaspersky Lab said in a blog post.
Update on #NotPetya #ExPetr: threat actors CAN'T decrypt files. Don't pay ransom. It won't help -> https://t.co/Df7tGqXO2Q
— Eugene Kaspersky (@e_kaspersky) June 28, 2017
Matt Suiche of Comae Technologies also made the same conclusion, although it was based on a different flaw. Suiche explained in his report that it's impossible to recover the original Master File Table (MFT) that NotPetya encrypts. MFT is a database that handles the location of files on a hard drive.
Victims keep sending money to Petya, but will not get their files back: No way to contact the attackers, as their email address was killed. pic.twitter.com/68vxThNIPM
— Mikko Hypponen (@mikko) June 28, 2017
After comparing the 2017 Petya with the 2016 variant, Suiche discovered that the latest strain of Petya, which affected many organisations in Ukraine, was a wiper that trashed the 25 first sector blocks of the infected disks.
"2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk," Suiche said.
The findings clearly suggest that NotPetya is essentially a cyber weapon meant to destroy and damage computers, and not ransomware with a motive to make money. Ransomware can restore their modification while a wiper simply eliminates all possibilities of restoration, according to Suiche.
