Subscribe

NotPetya may not be ransomware either

Lauren Kate Rawlins
By Lauren Kate Rawlins, ITWeb digital and innovation contributor.
Johannesburg, 29 Jun 2017
Analysis of the virus shows there may be no way to decrypt data even if the ransom is paid.
Analysis of the virus shows there may be no way to decrypt data even if the ransom is paid.

What was thought to be a large-scale ransomware attack shut down over 300 000 computers in more than 70 countries yesterday. However, analysis of the virus shows there may be no way to decrypt data even if the $300 ransom is paid.

The virus, nicknamed NotPetya, or ExPetr, because it is an evolution of the Petya virus which was discovered last year, may therefore have a more nefarious agenda than just collecting ransom in Bitcoin.

Matt Suiche, founder of Comae Technologies, wrote in a blog post yesterday that NotPetya is more of a 'wiper' - designed to destroy and damage, not to make money.

He compared this strain of Petya to last year's and found when NotPetya ran on a system, data blocks were "being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encodes them.

"2016 Petya modifies the disk in a way where it can actually revert its changes, whereas 2017 Petya does permanent and irreversible damage to the disk."

This means even if victims paid the ransom, there is no way their data could be restored.

Suiche says: "We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."

Security company Kaspersky Lab came to a similar conclusion.

"Our analysis indicates there is little hope for victims to recover their data. We have analysed the high-level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims' disks. To decrypt a victim's disk, threat actors need the installation ID.

"In previous versions of 'similar' ransomware, like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery. ExPetr does not have that, which means the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data."

Share