The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.
Experts say that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, but clues hidden in its source code reveal that users will never be able to recover their files.
This has nothing to do with the fact that a German email provider has shut down the NotPetya operator's email account. Even if victims would be able to get in contact with the NotPetya author, they still have no chance of recovering their files.
NotPetya never bothers to generate a valid infection ID
This is because NotPetya generates a random infection ID for each computer. A ransomware that doesn't use a command-and-control server — like NotPetya — uses the infection ID to store information about each infected victim and the decryption key.
Because NotPetya generates random data for that particular ID, the decryption process is impossible, according to Kaspersky expert Anton Ivanov.
"What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive," said Ivanov.
MFT file is unrecoverable
Kaspersky's discovery was also reinforced by a separate report released by Comae Technologies researcher Matt Suiche, who found a totally different flaw but reached the same conclusion.
In his report, Suiche describes a faulty sequence of operations that would make it impossible to recover the original MFT (Master File Table), which NotPetya encrypts. This file handles the location of files on a hard drive, and with this file remaining encrypted, there's no way to know where each file is where on an affected computer.
"[The original] Petya modifies the disk in a way where it can actually revert its changes. Whereas, [NotPetya] does permanent and irreversible damages to the disk," Suiche said.
NotPetya was designed for mayhem, not making money
The idea that NotPetya did not follow regular ransomware rules was first proposed by threat intelligence expert The Grugq, in a report published yesterday.
"The real Petya was a criminal enterprise for making money. This [NotPetya] is definitely not designed to make money," The Grugq said. "This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'"
What needs to be made clear is that NotPetya is not a disk wiper per se. It does not delete any data but simply makes it unusable by locking files and throwing away the key.
"In my book, a ransomware infection with no possible decryption mechanism is equivalent to a wiper," J. A. Guerrero-Saade, security researcher for Kaspersky Lab told Bleeping Computer today via email. "By disregarding a viable decryption mechanism, the attackers have displayed a complete disregard for long-term monetary gain."
Furthermore, in a tweet sent out today, the author of the original Petya also made it clear NotPetya was not his work, dispelling any rumors that this was a Petya offshoot.
He, in fact, is the second ransomware author that had to say this, after the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.
Signs with big bright blinking lights point to the theory that someone is hijacking known ransomware families and using them to attack Ukrainian users.
Hiding wipers in ransomware has become common practice
While this sounds sneaky, it's actually been done before. Attackers with a hidden agenda that are posing as mundane cyber-criminals and hiding disk wipers as ransomware is not a new tactic. It's actually a trend.
This past fall and winter we've seen reports of disk wipers getting "ransomware components" so they could pass on as ransomware infections and avoid the scrutiny of incident responders. This happened with the Shamoon and KillDisk malware families, both tools known for their disk-wiping abilities. Furthermore, even industrial malware is getting disk wiping features.
With NotPetya's reclassification as a disk wiper, experts can easily put the malware in the category of cyber-weapons, and analyze its effects from a different perspective.
With the point of origin and most victims residing inside its borders, it's pretty obvious that Ukraine was the victim. There is no palpable evidence to point the finger towards an attacker, but Ukrainian officials had already blamed Russia, who they accused in the past of several other cyber-incidents going way back to 2014.
The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware.
Bleeping Computer Petya/NotPetya coverage:
Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware
Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software
Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak
Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files
WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe
Comments
jwoods301 - 7 years ago
I continue to be amazed at the number of companies being taken down by ransomware/cyberweapons.
Backup is as old as tape drives.
One disturbing trend written about on Krebs on Security is that many companies are now stockpiling Bitcoin to pay ransom...rather than hardening their disaster recovery infrastructure, if they have one at all.
herbgold - 7 years ago
"MFT (Master Tree File)" ??? Master File Table, surely
Cauthon - 7 years ago
M F Trouble? :-)
khushnoor - 7 years ago
New encryptor Ransomware MAKB
YOUR FILES ARE ENCRYPTED!
Your personal ID
D0 92 68 3A 74 EA B5 4F 1F D1 E7 AA EC A1 F1 22
FB FF 0E E7 58 BB 1D 0F 66 7F C0 AF B3 84 68 16
0C F4 D6 D3 52 E9 64 2B A8 4B 03 10 DB AF 57 B6
0E 82 DF EA 31 1D 42 97 07 0D 0E 91 D2 05 05 95
52 94 31 EE 6B 13 C2 A3 28 9F 65 D1 EB F2 13 AF
40 CA 71 B6 81 0B F5 59 06 04 08 37 03 7A 8C 5C
2D A6 62 C5 D1 F5 D3 22 8D B8 91 76 3B 65 47 8A
88 E4 2C BA 89 B8 6C 23 F0 7C B7 FA EA E3 62 87
All your files have been encrypted due to a security problem with your PC.
To restore all your files, you need a decryption.
If you want to restore them, write us to the e-mail makbigfast@india.com.
In a letter to send Your personal ID (see In the beginning of this document).
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
In the letter, you will receive instructions to decrypt your files!
In a response letter you will receive the address of Bitcoin-wallet, which is necessary to perform the transfer of funds.
HURRY! Your personal code for decryption stored with us only 72 HOURS!
Our tech support is available 24 \ 7
•Do not delete: Your personal ID
•Write on e-mail, we will help you!
Free decryption as guarantee
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information and their total size must be less than 10Mb.
When the transfer is confirmed, you will receive interpreter files to your computer.
After start-interpreter program, all your files will be restored.
Attention!
•Do not rename encrypted files.
•Do not try to decrypt your data using third party software, it may cause permanent data loss.
•Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
•Do not attempt to remove the program or run the anti-virus tools
•Attempts to self-decrypting files will result in the loss of your data
•Decoders are not compatible with other users of your data, because each user's unique encryption key
JacobIdris - 6 years ago
Windows 10 creator's edition plus Eset security program
I have the aforementioned OS and security products at hand but I heard a lot of fully patched Windows 10 were infected with Petya malware. Although, I have not got a single notification from my security firewalls or any filter but my friends were insisting it might have been exposed to that malware.
Explain me how is it possible and if yes, it is infected, how to get it out? What are the common symptoms?