Ars Technica
Tuesday’s massive ransomware outbreak was, in fact, something much worse Payload delivered in mass attack destroys data, with no hope of recovery.
https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/
Dan Goodin - Jun 28, 2017 8:30 pm UTC
Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data. Further Reading A new ransomware outbreak similar to WCry is shutting down computers worldwide Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data. In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks.... Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak. "The ransomware was a lure for the media,"...Suiche provided the above side-by-side code comparison contrasting Tuesday's payload with a Petya version from last year.... while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that,even if victims obtain the decryption key, restoring their infected disks is impossible. "Petya 2016 modifies the disk in a way where it can actually revert its modification," Suiche told Ars. "Whereas yesterday's one does some permanent damage to the disk." Asked if the recovery made possible by Petya 2016 was related to the master boot record tampering, Suiche pointed to this analysis of the ransomware from researchers at Check Point Software.... Tuesday's malware, by contrast, destroys the 25 first sector blocks of the disk. In Wednesday's blog post, Suiche wrote: The first sector block is being reversibly encoded by XORed with the 0x7 key and saved later in the 34th block....That would mean that 24 sector blocks following the first sector block are being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encode them. Researchers at antivirus provider Kaspersky Lab, in their own blog post published Wednesday, also labeled the previous day's malware a wiper. They confirmed Suiche's finding that the damage was irreversible. In an e-mail, they wrote: Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that, after disk encryption, the threat actor could not decrypt victims' disks. To decrypt a victim's disk, threat actors need the installation ID. In previous versions of "similar" ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery. ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data. Definitely not designed to make money.