Petya the destroyer: Wiper attack in disguise is really out to kill data

29 Jun 2017

Image: PRILL/Shutterstock

Petya, or GoldenEye as it is also known, is a ruse. Even if you pay up, your data is already gone.

Researchers from leading infosec firms have arrived at the same conclusion: the ransomware attack that goes by the labels Petya and GoldenEye is really out to destroy systems.

The attack, a nastier derivative of the WannaCry ransomware that hit more than 300,000 systems worldwide last month, has spread to more than 64 countries and has affected more than 2,000 major organisations with precision, from the port of Mumbai to Kiev’s main airport; from Ukraine’s biggest bank to Russia’s top oil firm, to name a few.

‘The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent’
– MATT SUICHE

The latest malware has been given various titles, with some sticking to the original Petya and others referring to the latest variant as GoldenEye, ExPetr or NotPetya. It is increasingly being referred to as simply Petya in the media.

Researchers from Comae Technologies and Kaspersky Lab have discovered that Petya is not a ransomware attack, even though it demands that victims pay €300 in bitcoin for access to their files. They believe it is a devastating cyberattack that has no intention of returning access to files.

So, another good reason not to pay up.

Petya is out to destroy

The malware employs the same EternalBlue exploit used by WannaCry to spread quickly between systems.

‘This is the worst-case news for the victims – even if they pay the ransom, they will not get their data back’
– ANTON IVANOV

However, Petya is really only disguised as ransomware, and the so-called ‘installation key’ dangled before victims on the ransom screen is randomised data.

Matt Suiche, co-founder of Comae Technologies, said that Petya is not ransomware, but what is known in hacker circles as a ‘wiper’.

He explained: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification, such as restoring the master boot record like in the 2016 Petya, or decrypting files if the victim pays.  A wiper would simply destroy and exclude possibilities of restoration.”

Suiche studied the earliest victims of the attack and found they had no hopes of regaining access to their systems if they paid up.

“After comparing both implementations, we noticed that the current implemented [malware] that massively infected multiple entities [in] Ukraine was in fact a wiper, which just trashed the 25 first sector blocks of the disk.”

Anton Ivanov and Orkhan Mamedov of Kaspersky Lab have arrived at the same conclusion.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

So, those who paid up were duped.

“What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom, they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” Ivanov and Mamedov concluded.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com