New Petya – Not a Ransomware
In recent news, we heard of a new ransomware outbreak, Petya ransomware, that affected several computers in Russia, Ukraine, France, India and the United States and demands $300 for recovering the encrypted files.
The ransomware does not have any intention of recovering the encrypted files but is a wiper malware that intends to wipe the system outright.
What is the difference between a wiper and a ransomware?
The difference between a wiper and a ransomware is quite simple. A wiper intends to destroy and damage all files and documents but a ransomware intends to make money by decrypting the files at the end of its operation.
New Petya ransomware
Matt Suiche, Comae Technologies Founder, stated that the Petya is merely a wiper malware and not a ransomware after carefully examining the operation of the malware.
The purpose of the Petya is to encrypt the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable rather than just encrypting the files on a system one by one thus making sure that it restricts access to the system by encrypting the file names, sizes and the location on the physical disk. The ransomware takes an encrypted copy of the MBR and replaces it with its own malicious code for displaying the ransom note. The new Petya does not keep a copy of the MBR and does not decrypt the files even after receiving the decryption keys thus making the system unbootable.
Email address not reachable for payment
The email address of the attacker has been suspended by the German provider after receiving the news of the outbreak. This means that the payment made to the attacker for the decryption keys does not guarantee that you would recover your files at all.
It is speculation that the ransomwares primary target was Ukraine as it affected many entities of the country such as its local metro, Kiev’s Boryspil airport, electricity supplier, the central bank and the state telecom.
Other countries affected by the ransomware include Russia, France, Spain, India, China, USA, Brazil, Chile, Argentina, Turkey and South Korea.
It is recommended to not the pay the ransomware at all because the decryption keys will not recover any of the encrypted files and documents.
In order to prevent a ransomware, make sure you patch your systems to all zero day exploits and keep your systems up-to-date to all patches that are released by your vendors.