UPDATED 22:31 EST / JUNE 28 2017

INFRA

Petya attack wasn’t actually ransomware. It was something far worse

“Petya,” the ransomware that made headlines Tuesday as it spread across the globe, is neither ransomware nor Petya, according to research from multiple security professionals published Wednesday.

Now dubbed “NotPetya” by some, the darknet-sold software is claimed to only be masquerading as Petya ransomware — a strain released in 2016 — and is instead a “wiper,” a form of malware that deletes data on a target’s hard disk or similar storage on systems running Microsoft Windows.

The claim comes from multiple fronts. Comae Technologies Inc. researcher Matt Suiche wrote on Medium that “this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” He added that “we believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention of some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

An information security researcher who goes by the public name of “the grugq” also supported the claim, writing that “the superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.’”

Yonathan Klijnsma, threat researcher at security company RiskIQ Inc., agreed, telling SiliconANGLE that “it’s important to note that this is not Petya. It is a variant modeled after it that has stolen the methods Petya used.” On reports that there are problems with payments with NotPetya, Klijnsma noted that “the payment component of the attack doesn’t seem like it was meant to function or scale well, meaning the actors involved may be more interested in mayhem and destruction than money.”

What this all means is that for those infected by NotPeyta, there’s no way to decrypt the allegedly held files because they were never encrypted to begin with. “First of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back,” Anton Ivanov and Orkhan Mamedov from Kaspersky Lab wrote in a blog post. “Secondly, this reinforces the theory that the main goal of the [NotPetya] attack was not financially motivated, but destructive.”

The advice, as always is to practice safe Internet, including using the latest versions and patches of software. But with the spread of WannaCry and now NotPetya it would appear that many enterprises are not getting the message.

“When you are told to patch months before with a large set of precursor warnings like WannaCry, you better patch,” Klijnsma added. “If your organization’s patch management is so problematic that it takes this long, you have to change it; things like this require on-demand maintenance and patching. Consider the problem in terms of the costs and material loss of your company going down for a day versus simply getting your engineers some more time and availability to manage patches properly.”

Image: HypnoArt/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU