New Petya Ramsom classified as Wiper Malware
The Petya ransomware attacks that has spread in several countries, including Russia, Ukraine, France, India and the United States on Tuesday, and demands $300 ransom, was not created with the purpose of restoring infected computers at all.
Comae Technologies Founder Matt Suiche, who closely looked at the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a “Wiper malware,” not ransomware. Wiper Malware sole purpose is to destroy data on the Hard Disk.
Security experts believe the real attack has been disguised to divert world’s attention from a state-sponsored attack on Ukraine to a malware outbreak.
“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Suiche writes.
Petya is a particular nasty piece of malware that does not encrypt files on a targeted system one by one, but reboots infected computers and encrypts the hard drive’s master file table (MFT). It renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya ransomware then takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.
However, Petya does not keep a copy of the replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if the victims get the decryption keys.
After infecting the machine, Petya ransomware scans the local network and infects all other machines on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.
Even if the ransom is payed, the decryption key will not decrypt the hard drive. The reason behind this is, that the German E-Mail provider, suspended the e-mail address, shortly after the outbreak.
So far, victims have already paid more than $10,500 in Bitcoins in hopes to get their locked files back, but unfortunately, they would not.
Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.
“Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks,” the security firm said.
“To decrypt a victim’s disk threat actors need the installation ID. In previous versions of ‘similar’ ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery.”
Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “it is in our opinion a very subtle way from the attacker to control the narrative of the attack.”
Countries infected by the Petya virus include: Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.
According to research conducted by Talos Intelligence, a Ukrainian firm named MeDoc is likely the primary source of the massive ransomware outbreak.
Researchers said the virus has possibly been spread through a malicious software update to a Ukrainian tax accounting system called MeDoc, though MeDoc has denied the allegations in a lengthy Facebook post.
“At the time of updating the program, the system could not be infected with the virus directly from the update file,” translated version of MeDoc post reads. “We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program.”
However, several security researchers and even Microsoft agreed with Talo’s finding, saying MeDoc was breached and the virus was spread via updates.