The Petya cyber attack that swept globally, and has infected enterprise networks across Europe is much worse than initially thought. Security researchers have now come to the conclusion the Petya attack is not a ransomware. If one thought that was good news, it is not. Petya is being termed as a wiper by researchers, with the aim being mass destruction of data. The idea was never to collect money from victims or enterprises.
Researchers have compared the code of the 2016 and 2017 version of Petya, and concluded the latest version is a wiper. This was first reported by Matt Suiche, who is founder of the cyber security firm Comae. He has put out a detailed blogpost on Medium (blog.comae.io) explaining why Petya is wiper, not a ransomware. Cyber security firm Kaspersky has also come to the same conclusion in a separate blogpost.
According to Suiche’s blogpost, this current version of Petya is deleting, wiping all the first sectors of the disk, and causes deliberate destruction of data. In his blogpost, Suiche has explained the difference between wiper and ransomware. He writes, ”a wiper would simply destroy and exclude possibilities of restoration.” With ransomware, the idea is always to get the victim to pay and then restore the data.
Based on early analysis, Suiche has concluded that the 2017 version of Petya is also exploiting the EternalBlue and EternalRomance vulnerabilities in Microsoft’s systems. He writes, “After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk.”
The researcher’s conclusion is that this attack is deliberately overwriting the data on the disk, and this is not read or saved anywhere else. He says the main difference between the 2016 and 2017 Petya is that the earlier version modified the disk in a way that it was possible to get the data back. In the new version, the damage is irreversible.
Suiche also says this could be an attack from a nation state, rather than some mysterious hacker group. He views it as a deliberate attempt to mislead the media narrative by pretending this was a ransomware attack. Meanwhile Kaspesky’s analysis shows that the disks can’t decrypted even if the payment is made. Even when news of the attack first broke, research firms had warned victims against making payments to the hackers.
Kaspersky has also concluded this attack was wiper pretending to be a ransomware. The firm also analysed the installation id that is flashed on a victim’s screen, which they say is just generating random data. It cannot contain information to get the decryption key, says the firm. The conclusion is the attacker can’t actually decrypt the disk. Just like Suiche, Kaspersky also believes like the idea was destruction, not financial gain.