Following the spread of the initially thought to be ransomware, Petya, security analysts have a theory that Petya might not be a virus after all but a cyber attack against Ukraine.
According to a report by Kaspersky, The virus appeared to primarily target Ukraine, paralyzing major infrastructures in the country, including; the country’s central bank, the state telco, an airport and one electricity supplier.
— Securelist (@Securelist) June 27, 2017
Those who were unfortunate to get infected by Petya, were required to pay $300 as ransom to have all their files back. However, it was revealed that there was no way of actually getting your files back, even after paying the ransom. This led to security analysts diving deeper into the Petya code to try and understand what was going on.
Matt Suiche, founder of the cybersecurity firm Comae, found that after analyzing the virus, his team determined that it was a “wiper,” not ransomware. Matt claims that the current version of Petya got rewritten to be a wiper and not a actual ransomware. “We noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk,” wrote Matt in a blog post.
This means that Petya or “NotPetya”, was modified to completely wipe a disk a opposed to encrypting it and demanding for ransom.
To support this claim, it was revealed that the payment email address that had been given to send payments, was no longer active.
Victims keep sending money to Petya, but will not get their files back: No way to contact the attackers, as their email address was killed. pic.twitter.com/68vxThNIPM
— Mikko Hypponen (@mikko) June 28, 2017
Kaspersky also supports the claims that Petya is actually a wiper and not ransomware:
— Kaspersky Lab (@kaspersky) June 27, 2017
Matt believes that the Petya’s disguise as a ransomware virus was meant to control the media narrative to make it look like some hacker group was behind the attack with the aim of making money as opposed to a “Cyber attack” against a nation.
The Verge points out that evidence shows that the perpetrator could actually be Russia. “The broader political context makes Russia a viable suspect. Russia has been engaged in active military interventions in Ukraine since former president Viktor Yanukovych was removed from power in 2014.” The Verge goes ahead to mention that there could be a link between the Petya attack and Ukrainian colonel Maksim Shapoval being killed in a car bomb on the exact same day the virus sprouted.
However, there’s a group of people who particularly believe that Petya nothing more than a ransomware, citing that claims that Petya destroys Windows Master Boot Record (MBR) – a boot sector on your hard disk) that holds information about the partitions of your hard drive and acts as a loader for the operating system – are false since Windows has about 2048 free sectors and thus the deleted 24 sectors are actually empty, thus making it possible to reverse the encryption process.
Claim that Petya destroys MBR seems wrong. Windows has between 62 and 2048 free sectors following the MBR, so the 24 overwritten are empty. pic.twitter.com/uq7DbSDi6j
— MalwareTech (@MalwareTechBlog) June 28, 2017
Outside Ukraine, a number of huge corporates have publicly announced that their systems have been infected. Such corporates include FedEx Dutch, Maersk and WPP Marketing Agency in London. Closer home, there have been reports that the virus has hit some companies in South Africa.