Here are three things to know.
1. In an analysis by Kaspersky Lab, security researchers compared the ‘installation ID’ in Petya code to similar types of ransomware. The installation ID typically contains information about how to unencrypt and recover a target’s files. However, in Petya, the information ID is randomly generated.
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made,” Kaspersky Lab researchers determined.
2. Comae Technologies, another cybersecurity firm, alleged Petya purposefully destroyed data under the guise of encryption. The security researchers determined Petya is based on an older version of ransomware, which did unencrypt files. However, the new version overwrites data without saving it.
“2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk,” Comae Technologies researchers concluded. “[W]e can see the current version of Petya clearly got rewritten to be a wiper and not [an] actual ransomware.”
3. Comae Technologies researchers also emphasized the email address the cyberattacker provided to targets for ransom demands is no longer accessible, suggesting the Petya attack was not financially motivated. “The goal of a wiper is to destroy and damage,” they wrote. “The goal of a ransomware is to make money.”
In their independent analysis, Kaspersky Lab researchers agreed, stating their finding “reinforces the theory that the main goal of the [Petya] attack was not financially motivated, but destructive.”
More articles on health IT:
Boston security researcher discovers ‘vaccine’ for Petya ransomware: 4 things to know
Top 5 personality traits of Google, IBM & Oracle CEOs
IBM Watson SVP to Congress: AI dialogue should focus on positive impact, not ‘fear tactics’
