Short Summary:
Till now, we were thinking of Petya being a Ransomware. But this new version is beyond the limits. A ransomware is generally a malware that encrypts your files and provides you a decryption key after you pay the ransom to attacker(s). But Petya works somewhat different. It encrypts the MBR and MFT in windows and replaces it with a malicious code. Also, it doesn't take a backup of encrypted data. Hence, even if you pay the ransom, you will not get you data back.
Now let us see the working of this malware in detail and the research work carried out on it. Also, many security researchers found that this malware was spread as a Ransomware because the attackers wanted to divert society from WannaCry to this malware. Let us see all these in detail.
Petya is not a Ransomware
Yes, the Petya ransomware attacks
that began infecting computers in several countries, including Russia,
Ukraine, France, India and the United States on Tuesday and demands $300
ransom was not designed with the intention of restoring the computers
at all.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.
Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzingthe virus, known as Petya, his team found that it was a "Wiper malware" not ransomware.
Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes
What's new in Petya! Is is Powerful?
Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one. Instead, Petya reboots victims computers and encrypts the hard drive's Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot. However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.
Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.
Does Paying Ransom Get Your Files Back?
So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not. It's because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak. As the email address is suspended, there is no way of contact or communication. Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.
"Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," the security firm said.
"To decrypt a victim’s disk threat actors need the installation ID. In previous versions of 'similar' ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery."
If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.
List of Countries affected by Petya till now..!
The virus primarily and massively targeted multiple entities in Ukraine, including the country's local metro, Kiev's Boryspil airport, electricity supplier, the central bank, and the state telecom.
Other countries infected by the Petya virus included:
- Russia
- France
- Spain
- India
- China
- The United States
- Brazil
- Chile
- Argentina
- Turkey
- And South Korea.
Finally, Petya proves to be very harmful Data Wiper malware and we should take measures to prevent this malware affecting our computers. Till now, the exact preventive measures are not know but one can try the steps taken when WannaCry was affected. Its because both malware uses SMB Windows exploit to spread across world. Hence, we can slow it down. Click here to read the preventive measures.
Support us with your views on this malware and any update if necessary. Comment you views and Stay Connected..!
Yes, the Petya ransomware attacks
that began infecting computers in several countries, including Russia,
Ukraine, France, India and the United States on Tuesday and demands $300
ransom was not designed with the intention of restoring the computers
at all.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.
Yes, the Petya ransomware attacks
that began infecting computers in several countries, including Russia,
Ukraine, France, India and the United States on Tuesday and demands $300
ransom was not designed with the intention of restoring the computers
at all.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.
Yes, the Petya ransomware attacks
that began infecting computers in several countries, including Russia,
Ukraine, France, India and the United States on Tuesday and demands $300
ransom was not designed with the intention of restoring the computers
at all.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.
Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.
Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.
"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.