THE SO-CALLED 'NotPetya' ransomware, which was first identified in Ukraine and quickly spread worldwide, is reportedly designed to destroy data with the ransomware element intended as little more than a cover.
Security software company Kaspersky has warned that there is "little hope for victims to recover their data" if they fall victim to the ransomware bastard because the installation ID displayed in the ransomware note, sent with the ransom so that the appropriate decryption key can be sent back, is entirely randomly generated.
As a result, victims that pay the estimated £300 ransom in Bitcoin won't be able to get their files back.
Victims keep sending money to Petya, but will not get their files back: No way to contact the attackers, as their email address was killed. pic.twitter.com/68vxThNIPM— Mikko Hypponen (@mikko) June 28, 2017
"To decrypt a victim's disk threat actors need the installation ID. In previous versions of ‘similar' ransomware, like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery.
"ExPetr [Kaspersky's name for the malware] does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data."
Kaspersky's warning comes as a number of security software and services companies publish their initial analyses of the NotPetya/ExPetr malware - all coming to similar conclusions.
Kaspersky itself claims that around 2,000 organisations have fallen victim to it so far, with firms in Russia and Ukraine worst affected, although Norwegian shipping company Maesk also fell victim. The company also confirmed the use of two US National Security Agency (NSA) exploits, exposed by the Shadow Brokers group, called EternalBlue and EternalRomance, which have helped automatically propagate the malware.
People and organisations with their Windows operating systems patched up-to-date and running equally up-to-date antivirus software ought to be protected, Kaspersky added.
However, organisations that aren't properly patched can see the malware use flaws in Microsoft's SMB networking protocol, via the EternalBlue exploit, to infect multiple machines.
According to Kasperksy, researchers Anton Ivanov and Orkhan Mamedov, the "installation key" supposedly presented to users in the NotPetya ransom note is simply a random string.
"That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim and, as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID," they warned.
That means, even paying the ransom won't result in a decryption key being sent. "This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive," they added.
Likewise, Matt Suiche, founder of cloud security company Comae Technologies, agreed. "The ransomware was a lure for the media. This variant of Petya is a disguised wiper," he warned.
He added: "The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.
before you jump into the conclusion that current #Petya is a state-sponsored disruption you must understand Janus. he loves fame ;)— hasherezade (@hasherezade) June 28, 2017
"Ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) - a wiper would simply destroy and exclude possibilities of restoration."
The key presented in the ransomware note, he also confirmed, is "fake and randomly generated".
He added that the ransomware element was probably intended to distract attention from the idea that a nation-state attacker of some sort was behind it, citing the Shamoon malware in 2012, while the attacker simply repacked existing ransomware.
Not everyone is convinced that the NotPetya malware is state sponsored, however, with software engineer and malware analyst @hasherezade on Twitter suggesting that the author of the original Petya might be behind it. 'µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe