‘NotPetya aims to erase data with the appearance of ransomware’

Spread the love

After Tuesday’s internet attack, more analyzes will appear on the nature of the malware used. Security firm Kaspersky and researcher Matt Suiche come to the conclusion that the malware, called Petya or NotPetya, is intended as a wiper for erasing data.

Initially, it was Suiche who published a blog post sharing this finding. He writes that traditional ransomware has the ability to restore encrypted or locked systems after payment. In the case of NotPetya, there is no such possibility, because the malware overwrites the first 25 blocks of a HDD sector with no recovery possible. On that basis, he concludes that the semblance of ransomware was an attempt to misdirect the media. As with WannaCry, this would draw attention to a ‘mysterious hacker group’ rather than a state.

After the blog post was published, Kaspersky also came up with a similar analysis. The company writes that the warning that victims see contains an installation key, which they must send to an email address that has been closed since Tuesday afternoon. This key is actually related to the encryption key in the original Petya ransomware. However, with the NotPetya malware, the key is the result of a function that generates random data. That means decryption was never possible, Kaspersky said.

On Wednesday, there were already voices that the motive behind the spread was not to make money. Researchers the Grugq and Nicholas Weaver argued that NotPetya was intended to cause harm. There are as yet no concrete indications for the identity of the makers or the distributors of NotPetya. Security firm ESET said on Wednesday that the malware caused the most damage in Ukraine.

You might also like