Petya wreaked havoc globally after it affected hundreds of thousands of systems globally and while experts believed that it was an other ransomware attack, it turns out that might not be the case as cyber security have found evidence that the malware is permanently destroying data.
Researchers explain that payload delivered in Tuesday’s outbreak wasn`t ransomware at all, but the true objective of the attack was to permanently wipe out as many hard drives as possible on infected networks.
Researchers at Moscow-based cyber security firm Kaspersky Lab have labelled the malware a “wiper.” Kaspersky Lab experts said the new malware is significantly different from all earlier known versions of ‘Petya’.
“And that`s why we are addressing it as a separate malware family. We`ve named it `ExPetr` (or `NotPetya` — unofficially),” the Kaspersky Lab blog post said.
The attack appears to be complex, involving several attack vectors.
“We can confirm that a modified `EternalBlue` exploit is used for propagation, at least within corporate networks,” it read.
`ExPetr` (aka `NotPetya`) does not have that installation ID (the `installation key` shown in the `ExPetr` ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption.
“In short, victims could not recover their data,” the researchers added.
In the 2016 version of `Petya`, the ID contained crucial information for the key recovery.
“Tuesday`s malware, by contrast, was generated using pseudorandom data that was unrelated to the corresponding key,” wrote Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov.
Meanwhile, Janus Cybercrime Solutions, the author of `Petya` resurfaced on Twitter, offering to help those whose files can no longer be recovered.
“The altruistic gesture, even if it does prove fruitless, is uncharacteristic of the criminal syndicate that launched an underworld enterprise by placing powerful exploits in the hands of others to deploy as they see fit,” said a Gizmodo report.