Yesterday morning, a new and nasty piece of ransomware dubbed Petya began spreading across the globe. Based on an exploit that was also used during the WannaCry ransomware attack, Petya locked down machines and demanded payment in the form of $300 worth of Bitcoin. As Petya began to spread worldwide, reports surfaced indicating that it had already impacted IT systems at companies such as Merck, Oreo and other large corporations.
Now that security researchers have had more time to evaluate Petya, it appears as if the ransomware aspect of the attack may have simply been a bit of clever misdirection. As we covered earlier today, this theory was first brought to the forefront via a security researcher Nicholas Weaver who told KrebsOnSecurity that Petya was likely a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”
Corroborating this theory, a new security report from Matt Suiche of Comae Technologies reveals that the most up to date version of Petya is not really ransomware, but rather a piece of software designed to destroy information. If anything, the demand for payment via Bitcoin was simply used to mask the malware’s true intention.
We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.
Lately, the number of attacks against Ukraine increased from Power Grids being shut down to the car a top military intelligence officer exploding yesterday — the day Petya.2017 infected Ukraine.
Even if victims of Petya opt to pay out the requested $300, it appears that it’s impossible for any of the files to be recovered. Not only that, but the email address used by the hackers was shut down by a German provider, which is to say that victims are completely stranded and out of luck. As it stands now, it’s believed that victims have paid out upwards of $10,000 to the hackers.