Petya/NotPetya ransomware deletes data? No, it’s something different

Petna/NotPetya grants more riddles for IT experts

Petya/NotPetya  is not a data wiper as some may think

Like after the assault of WannaCry, the world has to find ways how to recover from Petya/ExPetr/NotPetya attack as well. Though the attack was said to be smaller in scale than the previously mentioned virus, the outcomes turn out to be more severe. Cyber security specialists soon created a decrypter for WannaCry, but NotPetya users are unlikely to get such chance.

New facts uncovered

On June 27, the world was struck with the malware which seemed to be another version of Petya[1]. Further analysis revealed:

  • the malware, dubbed as NotPetya/Petya.A/Petrwrap, turns out to be a variation of Petya but with completely overwritten source code
  • the virus loads instead of Windows OS
  • targets the same vulnerabilities
  • requires 300 USD in ransom
  • does not assign ID to an affected computer

While the source code might be completely different, the virus behaves similarly than the original version of Petya. It meddles with boot settings which allows loading the malware instead of Windows.

Furthermore, the recent report had suggested that the malware deletes victims‘ files eventually.[2] However, soon such assumptions were denied. More specifically, the malware turned out to a cyber assault rather than actual ransomware. Neither original version of Petya nor the latest deviation does not communicate with Command and Control servers.

Thus, the virus does not assign a specific identification code to a victimized device.[3] In short, without such information, victims cannot receive the matching decryption key for their files. Furthermore, victims of NotPetya should not consider payment as one of the main email domain has been terminated.

The source of infection lies in Ukraine

Though the virtual threat infected dozens of international corporations and companies worldwide, it manifested a clear preference for Ukraine. Lately, this country has been a frequent target for cyber perpetrators.

Nonetheless, the reports revealed astonishing results. The source of NotPetya/Petna/Petya.A lies in the Ukrainian digital accounting software developer, M.E. Doc. IT professionals claim to have evidence that cyber villains have infiltrated the computer system of the company and corrupted update network.[4]

Thus, every partner company which installed the issued updates by the parent company would immediately get infected.
Newly discovered features suggest that this malware might be the peak of a bigger cyber political campaign directed against Ukraine. Note that right after WannaCry came into daylight, XData malware inflicted greater damage than the former threat.

Since its emergence, astounding facts have been unraveled, hopefully, further analysis will not only reveal more intriguing facts but will also hint how to curb the infection permanently.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

Read in other languages