The Tuesday's devastating global malware outbreak caused by Petya.2017 wasn't a ransomware infection. New Petya is a wiper, not a ransomware, even though it displays the message asking for ransom, wrote thehackernews.com, quoting the analysis of this piece of malware.
Even if a victim pays the ransom, there's no way to recover the files. Researchers from Kaspersky confirmed it as well.
"We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," reapresentatives of the security firm said.
It's sad, but that's that: the new Petya malware, which infected computers in various countries, including France, Russia, India, Ukraine, and the USA on Tuesday and demands $300 ransom, is not able to restore the files at all.
The virus was designed to look like ransomware, but in fact it is a wiper malware, according to analysis. It wipes out everything on the victims' computers and destroys all the records from the systems under attack.
Petya does not encrypt files on a targeted system one by one - it reboots a victim's computer and encrypts the hard drive's master file table (MFT), restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. It renders the master boot record (MBR) inoperable. After this, Petya replaces an encrypted copy of MBR with its own malicious code, which displays a ransom note.
Since this new variant of Petya doesn't keep a copy of the victim's MBR, the infected computers are unable to boot even if the victim pays the ransom and gets the decryption keys.
After infecting one machine, Petya quickly infects all other machines in the local network by means of EternalBlue SMB exploit, WMIC and PSEXEC tools.
Some researchers claim that this new variant of Petya is a destructive malware, which was designed to disrupt and shut down services around the world.
The virus actively targeted numerous entities in Ukraine, including the central bank, the country capital's underground, Boryspil airport near Kiev, the state telecom and a major electricity supplier.
Among other countries infected by Petya are Spain,Russia, India, France, the United States, China, Brazil, Argentina, Chile, South Korea and Turkey.
According to research conducted by Talos Intelligence, a Ukrainian firm called MeDoc, developer of a tax accounting system called MeDoc, is likely to be the source of the global Tuesday's outbreak.
Researchers said that probably the virus was spread via a malicious software update to that tax accounting system; however, MeDoc company denied this in their Facebook post.
However, several security researchers claim that the virus was spread via updates, because MeDoc system was breached.