Petya, Now Known as NotPeya, is Actually a Wiper Program


A lot has happened in the weeks following the Petya outbreak that caused havoc across Ukraine and certain parts of Europe. The InfoSec community has made some discoveries regarding the malware, and they are not good news. After further analysis of the malware’s code, it was discovered that Petya is not a ransomware but a wiper program. This means that it is designed to encrypt system files with no hope of recovery permanently. Due to the realization of the malware’s true nature, media outlets renamed the wiper program as NotPetya, ExPetya or EternalPetya.

Security analyst hasherezade checking for the cryptographic algorithm used to encrypt the Master File Table(MTF)

While NotPetya was created using GoldenEye, a variant of the Petya family, it has a number of modifications to its code that place it in the wiper category. Within these changes include the use of an altered version of the NSA tool EternalBlue to spread the malware within networks. However, the most important change is how this program affects the Master Boot Record(MBR). The original Petya malware will keep a copy of the encrypted MBR to unlock the system if the ransom is paid. This new variant does not keep a copy of the MBR meaning that the system cannot be decrypted.

It is yet unknown if this was a mistake on the part of the author or done on purpose. If done on purpose then it could give more credibility that the attack was not motivated by financial reasons but as a state-sponsored attack as some theories claim. Regardless of the intentions of the author, some opportunists are taking advantage of the confusion to make a profit. Fake ransom notes have appeared in the Deep Web demanding payments to decrypt the files by ExPetya. As of yet, given the analysis of the code, it is not advised to make any payment since the malware does not have the capabilities to decrypt the system.

Leave a Reply

Your email address will not be published. Required fields are marked *