Recent 'NotPetya' attacks might not be ransomware at all

The hackers sure don't seem like they expect to make money from them.

Sponsored Links

Mariella Moon
June 29, 2017 3:02 AM
Getty Images/iStockphoto
Getty Images/iStockphoto

The companies and agencies hit by a cyberattack in the Ukraine, Russia, the US, parts of Europe, Asia and Australia might never be able to recover their data. See, some security researchers, including Kaspersky Lab, believe that the malware that invaded those computers was only masquerading as ransomware in order to lure the media into covering it as a follow-up to the WannaCry incidents. While its developers painstakingly tried to make it look like ransomware, the researchers say it's actually what you call a "wiper," since it overwrites parts that a disk needs to run. It doesn't encrypt those parts, so you can regain access to them after you pay -- it just completely erases them.

In addition, they found that the developers intentionally made it hard for victims to pay. First, they used a single Bitcoin address to receive payments. You'd think criminals expecting to get a lot of money from their victims would use several Bitcoin wallets to make processing a lot faster. They also required victims to email them with a long string of characters that they have to manually type if they want to access their PCs again. The kicker? The email address doesn't even work anymore*.

That's probably for the best, because as the researchers said, there's no hope of getting their data back even if they pay. However, there seems to be some disagreement when it comes to the malware's -- dubbed PetyaWrap, NotPetya and ExPetr, because it's now obvious that it's not the same Petya ransomware that was first seen in 2016 -- true nature.

MalwareTech disagrees with the assessment that it was intended to be a wiper, since it only destroys the first 25 sectors of the disk. Those sectors are essential, but they're also apparently empty in any standard Windows installation. It's a bit hard to believe the cyber criminals didn't know that. The security researcher agrees, though, that the hackers never intended to make money with their creation:

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

The questions that must plaguing everyone's minds now are "Who did it?" and "Why?" We still don't have an answer to that, but Ukrainian cybersecurity firms and government agencies think what happened was a state-sponsored cyberattack meant to wreak havoc on Ukrainian institutions. When asked whether he believes that the state sponsor is Russia, Roman Boyarchuk, the Center for Cyber Protection chief in Ukraine, replied: "It's difficult to imagine anyone else would want to do this."

*Update: We were told the email address doesn't work, because the provider shut it down.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Recent 'NotPetya' attacks might not be ransomware at all