Recent 'NotPetya' attacks might not be ransomware at all

The hackers sure don't seem like they expect to make money from them.

Getty Images/iStockphoto

The companies and agencies hit by a cyberattack in the Ukraine, Russia, the US, parts of Europe, Asia and Australia might never be able to recover their data. See, some security researchers, including Kaspersky Lab, believe that the malware that invaded those computers was only masquerading as ransomware in order to lure the media into covering it as a follow-up to the WannaCry incidents. While its developers painstakingly tried to make it look like ransomware, the researchers say it's actually what you call a "wiper," since it overwrites parts that a disk needs to run. It doesn't encrypt those parts, so you can regain access to them after you pay -- it just completely erases them.

In addition, they found that the developers intentionally made it hard for victims to pay. First, they used a single Bitcoin address to receive payments. You'd think criminals expecting to get a lot of money from their victims would use several Bitcoin wallets to make processing a lot faster. They also required victims to email them with a long string of characters that they have to manually type if they want to access their PCs again. The kicker? The email address doesn't even work anymore*.

That's probably for the best, because as the researchers said, there's no hope of getting their data back even if they pay. However, there seems to be some disagreement when it comes to the malware's -- dubbed PetyaWrap, NotPetya and ExPetr, because it's now obvious that it's not the same Petya ransomware that was first seen in 2016 -- true nature.

MalwareTech disagrees with the assessment that it was intended to be a wiper, since it only destroys the first 25 sectors of the disk. Those sectors are essential, but they're also apparently empty in any standard Windows installation. It's a bit hard to believe the cyber criminals didn't know that. The security researcher agrees, though, that the hackers never intended to make money with their creation:

The questions that must plaguing everyone's minds now are "Who did it?" and "Why?" We still don't have an answer to that, but Ukrainian cybersecurity firms and government agencies think what happened was a state-sponsored cyberattack meant to wreak havoc on Ukrainian institutions. When asked whether he believes that the state sponsor is Russia, Roman Boyarchuk, the Center for Cyber Protection chief in Ukraine, replied: "It's difficult to imagine anyone else would want to do this."

*Update: We were told the email address doesn't work, because the provider shut it down.