Following the WannaCry attacks that caused major disruptions in May, this week saw another ransomware attack, dubbed Petya, that began in Ukraine before quickly spreading across Europe and the rest of the world. This ransomware encrypts a hard drive's index page until you pay a ransom of $300 in Bitcoins. However, latest studies say that the recent attack was not ransomware at all, but a 'wiper', like Shamoon, that destroys data permanently. The apparent guise of ransomware and the fact that Ukraine was first hit, just ahead of its Constitution Day, makes the case for the cyber-attacks to be state sponsored or have political motivations.
A cyber-security team at Comae has concluded that the Petya ransomware isn't in fact ransomware, and victims will not be able to get their files back even if they paid the ransom. The Petya wiper destroys certain sectors of the disk, making it impossible to retrieve the files even if you do get the recovery key after paying the ransom. They found that the code was too aggressive that made it impossible for victims to recover their data.
"The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) - a wiper would simply destroy and exclude possibilities of restoration," the Comae statement said.
Kaspersky Lab also reached a similar conclusion and detailed how the wiper was able to masquerade as a ransomware to trick victims into paying the ransom. The researches say that firstly, the attacker would need the installation ID to decrypt the victims disk. This ID contained crucial information for the recovery key in the 2016 Petya attack. But Tuesday's malware was generated using pseudorandom data that was unrelated to the corresponding key, which meant that the attacker would not be able to extract any decryption information.
Researchers say that the wiper is similar in nature to Shamoon that attacked Saudi Arabia back in 2012. They also said that malware, dubbed PetyaWrap, NotPetya, and ExPetr, that struck thousands this week had a ransom note that was meant to be a hoax to take advantage of the WannaCry incident last month and to control the media narrative, possibly deflecting from the truth.
Since Tuesday, around 45 people have paid the ransom with a total of $10,100 (roughly Rs. 6,52,310) worth in Bitcoins, and based on the new findings it is unlikely that that the victims managed to recover their data. This also means that the goal behind the attacks were never meant to make money, but cause damage instead.