Originally published at 11:30 EET on June 29, 2017
Note that this article discusses current on-going events and some information may have changed since publishing.
Developments on the Petya ransomware case are getting more and more interesting. We have covered the case over last few days as more information has become available. What initially looked like a ransomware is starting to look more like a malware intentionally designed to destroy data. While the malware goes a long way to look like it wants your money, it now looks like there is no mechanism to recover the data when the ransom is paid.
Ransomware is a term used to describe new type of malware that has been steadily gaining popularity. The basic principle is that the malware takes your files hostage by encrypting them in a way that can be reversed. By paying someone – usually by sending Bitcoins or similar cryptocurrencies – the information needed to recover the files is sent back. It’s the digital world’s equivalent of taking people hostage and demanding ransom. The obvious reason for popularity of this type of attack is the business model behind it. While traditionally similar attacks would mainly cause harm to the target systems and data, ransomware is a potential source of revenue for the party operating it.
With Petya, the author seems to have had a different plan in mind. While the malware looks very similar to a regular ransomware, it now looks like the ransom part was not intended to work in the first place. The codes are generated partially by random chance on the infected system, making it impossible for the party operating the malware to provide recovery keys even if ransom would be paid. Also the e-mail which was intended to be the communication channel was already closed at a very early stage. However, it now looks like this was irrelevant for the attacker’s plans.
There is a lot of speculation in the air about what the attacker’s motivation has been. Since it seems there has been no plan to use the ransom mechanism, the most logical motive would be to intentionally cause damage to systems and disguise it as attempt to earn money. The fact that Ukraine was hit hard initially could suggest that there was intention behind how the malware was initially deployed.
If your organization was hit by the malware, do not pay the ransom as there is no advantage in doing so! The party which initiated the attack cannot recover the files even if ransom is paid.
For information on how to protect your systems, see our previous blog post on the topic
Petya Ransomware – After the Smoke Clears published on June 28, 2017