New Petya Was Created to Destroy
Before the world could have recovered from WannaCry, Windows users felt the second wave of attacks from another malware dubbed Petya. Initially it looked like ransomware similar to WannaCry that encrypts Windows systems to monetize the recovery of data.
“Some researchers suggested that the new ransomware might be either WannaCry (it’s not), or some variation of Petya ransomware (be it Petya.A, Petya.D, or PetrWrap). Kaspersky Lab experts concluded that the new malware is significantly different from all earlier known versions of Petya, and that’s why we are addressing it as a separate malware family. We’ve named it ExPetr (or NotPetya – unofficially),” said Kaspersky Labs in a blog post.
According to US-Cert, “Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB).”
Petya has already wreaked havoc on the infrastructure of major economies including Europe, Russia, India and beyond. Some of the biggest victims of Petya include Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers and national banks and an international logistics company, Maersk.
The twist in the tale is that, unlike WannaCry, new Petya is not ransomware; turns out it’s a wiper.
Matt Suiche, Founder of Comaeio , explained that the “goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”
It seems like new Petya was disguised as ransomware to divert attention from a state-sponsored cyberattack on Ukraine.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," said Suiche.
Sorry to be the bearer of the bad news, but it also means if your computer has been compromised by Petya, paying ransom won’t restore your files. They are gone, for good.
Petya is considered a variant of an exploit that was created by the NSA to compromise the systems of US adversaries.