Initially thought as the ‘Petya’ ransomware outbreak that shut computers in several countries, cybersecurity researchers are now dubbing it as a new form of the malware attack that doesn’t demand ransom but permanently destroys data. “In other words, the researchers said, the payload delivered in Tuesday’s outbreak wasn’t ransomware at all. Instead, its true objective was to permanently wipe out as many hard drives as possible on infected networks,” arstechnica reported on Friday. Researchers at Moscow-based cyber security firm Kaspersky Lab have labeled the malware a “wiper.”
Kaspersky Lab experts said the new malware is significantly different from all earlier known versions of ‘Petya’. “And that’s why we are addressing it as a separate malware family. We’ve named it ‘ExPetr’ (or ‘NotPetya’ — unofficially),” the Kaspersky Lab blog post said. The attack appears to be complex, involving several attack vectors. “We can confirm that a modified ‘EternalBlue’ exploit is used for propagation, at least within corporate networks,” it read. ‘ExPetr’ (aka ‘NotPetya’) does not have that installation ID (the ‘installation key’ shown in the ‘ExPetr’ ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption.
“In short, victims could not recover their data,” the researchers added. In the 2016 version of ‘Petya’, the ID contained crucial information for the key recovery. “Tuesday’s malware, by contrast, was generated using pseudorandom data that was unrelated to the corresponding key,” wrote Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov. Meanwhile, Janus Cybercrime Solutions, the author of ‘Petya’ resurfaced on Twitter, offering to help those whose files can no longer be recovered. “The altruistic gesture, even if it does prove fruitless, is uncharacteristic of the criminal syndicate that launched an underworld enterprise by placing powerful exploits in the hands of others to deploy as they see fit,” said a Gizmodo report.