Petya ransomware isn't just about bitcoins; its more likely a wiper

Petya ransomware that had the world Internet paralyzed once again on Tuesday is starting to look much worse than initially expected. The cyber-attack that has infected enterprise networks across Europe and many parts of Asia, according to security researchers isn't just about bitcoins but could be a wiper aimed at mass destruction of data. The ransom note left behind was in fact just a hoax intended to capitalize on media interest sparked by last month's massive WannaCry outbreak.

Though the initial assessment of many researchers was that the malware was a new version of the Petya ransomware that first struck in early 2016, however, later analysis suggested some sinister motives for a piece of malware —alternatively dubbed PetyaWrap, NotPetya, and ExPetrits; its code is so aggressive that it's impossible for victims to recover their data. Besides, its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines.

Researchers at antivirus provider Kaspersky Lab, in a blog post, labeled the malware a "wiper." They explained that for attackers to decrypt a paying victim's computer, they need a "personal infection ID" that's displayed in the ransom note. In the 2016 version of Petya, the ID contained crucial information for the key recovery. Tuesday's malware, by contrast, was generated using pseudorandom data that was unrelated to the corresponding key.

"What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive," Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov wrote.

Matt Suiche of Comae Technologies also called Tuesday's malware a wiper. But rather than focus on the pseudo-randomly generated installation ID, he highlighted the overwriting of key files stored on the infected hard drive. According to Suiche, the 2017 version of Petya is also exploiting the EternalBlue and EternalRomance vulnerabilities in Microsoft’s systems. He writes, “After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk.”

He categorically calls it a nation state attack. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “ is in our opinion a very subtle way from the attacker to control the narrative of the attack.”

As the analysis work is still under way, we cannot blatantly pinpoint fingers at anyone. But one thing is sure that there is more to Petya than meets the eye.