Petya the destroyer: Wiper attack in disguise is really out to kill data

Researchers from leading infosec firms have arrived at the same conclusion, the ransomware attack that goes by the labels Petya and GoldenEye is really out to destroy systems.

The attack, a nastier derivative of the WannaCry ransomware attack that hit more than 300,000 systems worldwide over a month ago, has spread to more than 64 countries and has hit more than 2,000 major organisations with precision, from the port of Mumbai to Kiev’s main airport, Ukraine’s biggest bank and Russia’s top oil firm, to name a few.

‘The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent’
– MATT SUICHE

The latest malware has been given various titles, with some sticking to the original Petya and others referring to the latest variant as GoldenEye, ExPetr or NotPetya. It is increasingly being referred to as simply Petya in the media.

Researchers from Comae Technologies and Kaspersky Lab have discovered that Petya is not a ransomware attack, even though it demands victims pay €300 in bitcoin for access to their files.

They believe it is a devastating cyberattack that has no intention of returning access to files.

So here is another good reason not to pay up.

Petya is out to destroy

The malware employs the same EternalBlue exploit used by WannaCry to spread quickly between systems.

‘This is the worst-case news for the victims – even if they pay the ransom they will not get their data back’
– ANTON IVANOV

However, Petya is really only disguised as ransomware, and the so-called “installation key” dangled before victims on the ransom screen is randomised data.

Matt Suiche, co-founder of Comae Technologies, said that Petya is not ransomware but what is known in hacker circles as a “wiper.”

He explained: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the master boot record like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”

Suiche studied the earliest victims of the attack and found they had no hopes of regaining access to their systems if they paid up.

“After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk.”

Anton Ivanov and Orkhan Mamedov of Kaspersky Lab have arrived at the same conclusion.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

They too found that the so-called installation key for restoring system access is nothing more than randomised data. Those who paid up were duped.

“What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” Ivanov and Mamedov said.

The post Petya the destroyer: Wiper attack in disguise is really out to kill data appeared first on Silicon Republic.

Silicon RepublicSilicon Republic

Play
Slider