NotPetya Is Not Ransomware, But Rather, A Disk Wiper

Updated on

NotPetya is a cyber weapon and a dreaded virus that attacked thousands of computers around the globe and wiped everything off their disks. While the media was busy finding what is NotPetya, the malware meanwhile was sucking out every bit of information from the affected computers — only to never give it back.

What is NotPetya – a ransomware?

The virus, also known as Petna, Petya and Expetr, first surfaced on Tuesday when it encrypted and locked thousands of computers all over the world and destroyed their data. What is NotPetya? Initially, NotPetya was believed to be ransomware, but the source code revealed that it was only masquerading as ransomware, and there is no way users would be able to recover their files, according to separate reports from Comae Technologies and Kaspersky Lab.

For each affected computer, NotPetya generates a random infection ID, which is used to save information about each infected victim and the decryption key. Since the virus generates random data for that particular ID, the decryption process becomes almost impossible, notes Kaspersky expert Anton Ivanov. According to Ivanov, this means that victims won’t get their data back even if they pay, thus confirming the “theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”

Comae Technologies, which gave a different reasoning but the same conclusion, says the virus makes it impossible to recover the original MFT (Master File Table).

“[The original] Petya modifies the disk in a way where it can actually revert its changes. Whereas, [NotPetya] does permanent and irreversible damages to the disk,” said Comae Technologies researcher Matt Suiche.

Further, the victim is required to send a confirmation email to the address hosted by the German email provider Posteo. However, the email account has been already closed, which means that those who paid the ransom cannot decrypt their computers. Another piece of evidence that it isn’t ransomware is that the hackers used a single bitcoin address to receive payments. This is surprising, as with this level of cyber-attack, one would expect them to use several bitcoin wallets to make processing a lot faster.

NotPetya – all you need to know

The name NotPetya comes because the malware shares code with ransomware known as Petya. But according to a security researcher at Kaspersky Lab, it is an entirely new type of ransomware that appeared for the first time; hence, the word “not” was affixed to it.

Kaspersky Lab stated that about 60% of the infections were found in Ukraine, where legally mandated software suites used to file taxes probably introduced the malware. Maersk, the Danish shipping firm that used the same accounting software, is among the major non-Ukrainian organizations that were affected by the malware, notes The Guardian.

Experts recommend using the latest version of Windows and keeping an eye on every update. Both types of malware that spread widely this year affected the PCs of those who did not either upgrade to the newest version or overlooked the periodical updates by the company.

Leave a Comment