Petya/NotPetya Ransomware: Much Bigger Attack Than WannaCry
The past few days have been quite stressful for the cyber security professional and the victims of the cyber attack. As most of us know about the massive malware attack that took place on Tuesday. It locked the computers of numerous organizations all around the world and paralyzed the entire system. It resulted in a monetary loss and reputational loss for the organizations who went through it. The attack was very intense and took most of the cyber security professionals by surprise. It just created a furor among them.
Many companies all around the world faced several problems. TNT Express which is a Dutch courier company witnessed slowing down of the delivery process. The share trading session of FedEx, It’s principal company, faced a temporary halt due to the attack.
Security researchers were deployed to find out the solution. It was soon discovered that the malware was based on Petya ransomware which overwrote Master Boot Records (MRBs) and Master File Tables (MFTs) of the infected systems besides encrypting the files. Petya is a conventional ransomware operation which demands operator money for restoring the files back to normal.
Security experts assumed that the crooks who were running NotPetya with the objective of making money.
After much research, security experts found that the file encrypting mechanism of both the malware is not same. Apart from that differences were obvious from the ransom notes. The operators of NotPetya borrowed some of the text from WannaCry Ransomware.
Yesterday, Kaspersky’s research team tried to find out how NotPetya’s operator used the victim’s personal id to retrieve the information. The ID is generated by a function called CryptGenRandom. NotPetya’s personal id is a completely random string of symbols which contains no information. It is not all helpful in retrieving the lost information. It simply means that even if the crook’s email accounts are live, he still won’t be able to help the victims in restoring their systems back to normal.
Yesterday, a renowned security specialist and founder of Comae Technologies Mr. Matthieu Suiche analyzed the difference between Petya and NotPetya. The purpose of the analysis was to observe how both malware families attack Master Boot Record of the infected hosts. He found that if the correct key is provided, the computer’s MEB affected by Petya can be possible restored which is not possible with NotPetya.
According to Kaspersky and Suiche, NotPetya is not a ransomware at all and its sole purpose is to cause damage as much as possible. According to Suiche, the ransomware disguise is nothing more than a hot topic for media. This theory was supported by the fact that the authors still have $ 10,000in Bitcoin Wallet and nobody has even attempted to take out the money. Money is the ultimate goal of ransomware operators. Until the time concrete facts are established, research is still going on.