So it turns out the NotPetya ransomware is actually trashing users’ systems

This is not good.

Is ransomware still ransomware if its goal is purely to destroy?

This is less if-a-tree-falls hypothetical and more sobering reality for the untold number of people across the globe whose computer systems have been infected with the NotPetya ransomware. That’s because the latest digital scourge to cripple computer networks in 65 countries (and counting) doesn’t fit the typical ransomware mold.

Instead of just encrypting users’ files and holding those files ransom, NotPetya appears to do permanent damage to computer systems.

Security researcher Matt Suiche lays out the bad news in a blog post for cybersecurity firm Comae Technologies. He notes that while an earlier version of Petya, from which NotPetya gets its name, technically allowed for the decryption of files, NotPetya doesn’t.

"2016 Petya modifies the disk in a way where it can actually revert its changes," writes Suiche. "Whereas, 2017 Petya does permanent and irreversible damages to the disk."

Image: Comae Technologies

Code of NotPetya on the left reportedly includes wiper code lacking in the 2016 Petya code on the right.

Suiche goes on to call NotPetya a "wiper," and explains the difference between a wiper and ransomware.

"The goal of a wiper is to destroy and damage," notes Suiche. "The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as [restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays]— a wiper would simply destroy and exclude possibilities of restoration."

So, if the motive for the malicious code is not profit via a Bitcoin ransom, what could it be? While at this point it’s pure speculation, the growing consensus among a host of security experts is that the attack was not launched by cybercriminals in the traditional sense.

Agreed, this is starting to look like "Fuck with Ukraine" disguised as ransomware.

— Nicholas Weaver (@ncweaver) June 27, 2017

However, not everyone agrees with Suiche’s findings. The (now famous) security researcher who discovered the WannaCry kill switch, Marcus Hutchins, takes issue with Suiche’s claim that "the current version of Petya clearly got rewritten to be a wiper and not a[n] actual ransomware."

I do believe the purpose behind Petya was to cause disruption not make money, but the claims of intentional MBR destruction are false.

— MalwareTech (@MalwareTechBlog) June 28, 2017

But even if the intent hadn’t been to destroy, there’s almost zero chance those affected by NotPetya could get their data back by paying the $300-worth-of-Bitcoin ransom for a decryption key. That’s because the email used to coordinate ransom payments was disabled by the email service provider.

In other words, Suiche’s findings reveal a bad situation to be even worse. And, if his discovery portends a new type of ransomware-disguised wipers, the news just went from worse to downright awful.

Comments are closed.