The breakout of the Petya malware two days ago has caused mayhem once again. It has been the second major global cyber attack after the WannaCry incident. However, the latest research reveals that the ransomware is not a ransomware at all.
Petya was discovered two days ago and has its root in Ukraine. The malware entered cyberspace through an update mechanism for an accounting software used by staff members working for the Ukrainian government.
However, this was the first phase of infection. The next one used a more conventional and probably an amateur technique of sending infected malware through email attachments.
However, given that Windows released a patch for the vulnerability, Petya uses another technique by exploiting administrative tools in Windows. Furthermore, researchers found that Petya spreads more rapidly than WannaCry.
The ransomware infected the systems of major organizations including WPP, Mondelez, and Maersk locking their entire data for ransomware that amounts to $300 in Bitcoin.
What Petya really is?
The name Petya may have rung some bells as the name associated with a criminal enterprise called Petya which launched a money-making campaign. However, researchers from the Grugq stated that Petya was not meant for making money.
In fact, Petya is a destructive tool as discovered by Comae Technologies and Kaspersky Lab. The experts stated that Petya, is in reality, a disk wiper that locks a victim’s data files and throws away the decryption key.
This means that Petya simply takes the shape of ransomware, probably to avoid being noticed as something serious by security researchers. According to Kaspersky researchers:
“Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”
— Eugene Kaspersky (@e_kaspersky) June 28, 2017
Petya, on the other hand, simply generates random data making the decryption of the files unlikely as revealed by Kaspersky.
Most ransomware usually generates a decryption key for every infected PC that is given to the victim once they have paid the ransomware. This is specifically true for ransomware that operates without a command-and-control server.
Researchers at Comae Technologies discovered that Petya executes itself in an unusual way that makes the recovery of the Master File Table (MFT) impossible. Petya does permanent damage to the disk in which the file is stored.
Since MFT manages the location of all other files on a system, having MFT encrypted forever implies that there is no way in which the data can be recovered.
Money may not have been the primary motive
Although the Petya campaign asks for a ransom, it, however, does so very crudely by giving a specific email address through which a victim can contact the attacker.
As of now, the email provider has locked the email, and therefore there is no way to contact the attacker.
Furthermore, given the permanent damage that Petya does to a system, even if the victim pays the ransom, the files encrypted cannot be recovered since no decryption key exists to do so.
As such, researchers have concluded that primary motive of the campaign was to cause serious damage rather than make money.
In fact, the original author of Petya tweeted that Petya was not a variant of Petya. Therefore, nothing less than a data wiper disguised as ransomware.
Although no particular leads have been discovered, Ukraine, however, suspects Russia to be behind all this given Russia’s past attempts to hack into the federal systems of the US and France.
Now that Petya has been reclassified as a destructive cyber-weapon, researchers say that they will be able to look at the issue in a different light.