NotPetya ransomware intended to destroy data, not extort money
'Little hope for victims to recover their data,' warns Kaspersky
The so-called NotPetya ransomware, which was first identified in Ukraine and quickly spread worldwide, is designed to destroy data with the ransomware element intended as little more than a cover, believe security experts.
And security software company Kaspersky has warned that there is "little hope for victims to recover their data" if they fall victim to the malware because the installation ID displayed in the ransomware note, sent with the ransom so that the appropriate decryption key can be sent back, is entirely randomly generated.
As a result, victims that pay the estimated £300 ransom in bitcoin won't be able to get their files back.
"We have analysed the high level code of the encryption routine," began Kaspersky in a statement.
It continued: "To decrypt a victim's disk threat actors need the installation ID. In previous versions of ‘similar' ransomware, like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery.
"ExPetr [Kaspersky's name for the malware] does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data."
Kaspersky's warning comes as a number of security software and services companies publish their initial analyses of the NotPetya/ExPetr malware - all coming to similar conclusions.
Kaspersky itself claims that around 2,000 users have fallen victim to it so far, with organisations in Russia and Ukraine worst affected, although Norwegian shipping company Maesk also fell victim. The company also confirmed the use of two US National Security Agency (NSA) exploits, exposed by the Shadow Brokers group, called EternalBlue and EternalRomance, which have helped automatically propagate the malware.
People and organisations with their Windows operating systems patched up-to-date and running equally up-to-date anti-virus software ought to be protected, Kaspersky added.
However, organisations that aren't properly patched can see the malware use flaws in Microsoft's SMB networking protocol, via the EternalBlue exploit, to infect multiple machines.
According to Kasperksy researchers Anton Ivanov and Orkhan Mamedov, the "installation key" supposedly presented to users in the NotPetya ransom note is simply a random string.
"That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim and, as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID," they warned.
That means, even paying the ransom won't result in a decryption key being sent. "This reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive," they added.
Likewise, Matt Suiche, founder of cloud security company Comae Technologies, agreed. "The ransomware was a lure for the media. This variant of Petya is a disguised wiper," he warned.
He added: "The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.
"Ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) - a wiper would simply destroy and exclude possibilities of restoration."
The key presented in the ransomware note, he also confirmed, is "fake and randomly generated".
He added that the ransomware element was probably intended to distract attention from the idea that a nation state attacker of some sort was behind it, citing the Shamoon malware in 2012, while the attacker simply repacked existing ransomware.
Not everyone is convinced that the NotPetya malware is state sponsored, however, with software engineer and malware analyst @hasherezade on Twitter suggesting that the author of the original Petya might be behind it.