The latest Petya ransomware/wiper cyber attack has left enterprises, government organisations in Europe and other parts of the world scrambling for recovery. Researchers have shown that Petya’s latest cyber attack is not a ransomware, but a wiper, which leaves no scope for recovery of the data that gets encrypted. Now according to a report in The Daily Beast, the original creator of the Petya code has resurfaced online, and said he is trying to crack the latest version with their own key.
For those who don’t know Petya as a ransomware has been around since 2016. The Daily Beast report points out the creator of Petya uses the name Janus on Twitter, and has first surfaced in March 2016, but gone silent in December last year. However, the Janus account is now active again and he has put out a tweet about the latest Petya attack.
The tweet reads, “we’re back havin a look in “notpetya” maybe it’s crackable with our privkey #petya @hasherezade sadly missed. Hasherezade is a security researcher at the firm MalwareBytes, who has been tracking him for sometime. As the Daily Beast report points out the tweet is an indicator that Janus was probably not responsible for this particular cyber attack, though it adds that he has never backed away from claims that he created the original Petya ransomware code.
Hasherezade, who is a Poland based security researcher also reacted to the latest tweet saying, “so, my favorite (threat) actor is back :) I was waiting.” She also tweeted raising doubts over whether this was a state-sponsored action. “before you jump into the conclusion that current #Petya is a state-sponsore disruption you must understand Janus. he loves fame,” (sic) is what she wrote on Twitter. The Daily Beast report notes that she has been tracking the Petya code since it was first released in 2016.
Check out the tweets below
so, my favorite (threat) actor is back :) I was waiting
— hasherezade (@hasherezade) June 28, 2017
According to security researchers, Petya is a not a regular ransomware, the aim here was never making money like with the 2016 version of Petya. Rather the idea was destruction of data, and researchers have pegged the 2017 attack as a wiper. Essentially paying the hackers won’t get the data back because there is no way of decrypting the disk.
A report by Symantec has said that Ukraine is the worst affected globally, but when it comes to Asia, India is the worst impacted country. In a separate blogpost MalwareBytes has written that there is evidence the new malware “is heavily influenced and likely developed by the creators of Petya. This malware has indicators and code that matches previous versions of Petya, but with additional functionality.”
The security firm has also analysed the kind of files being targeted by the latest Petya/NotPetya attack, and points out that in some cases these are ones that would have been created by developers. The conclusion is that the attackers deliberately went after businesses, firms, especially those working in software development.
On the second day of the cyber attack, companies and governments are still dealing with the full impact and many enterprises are still locked out of their computers, networks. According to Associated Press, Logistics firm FedEx said deliveries by its TNT Express subsidiary have been slowed due to the attack. Also ports operated by the Danish shipping giant AP Moller-Maersk remain impacted. The company’s operations were shuttered in Mumbai, India, Port Elizabeth, New Jersey, and Los Angeles, among others.
With Associated Press inputs