We are all familiar with the infamous Petya ransomware that has caused havoc with its attacks on popular organizations across in several countries, including Russia, Ukraine, France, India and the United States.
As per statistics, the Petya ransomware attacks have caused economy loss of several million dollars, loss of confidential business information, loss of personally identifiable information of several clients, and disruption of business operations. Once a system is infected, the malware wipes out data stored in it without any intentions of restoring sensitive data.
Thus, even if victims pay the demanded ransom and get the decryption keys, there’s no way of getting their data back.
Security researchers were able to contain the infection of the Petya ransomware by suspending the email address set up by the hackers behind the malware to communicate with the victims. Other infected countries include Spain, China, Brazil, Chile, Argentina, Turkey and South Korea.
The Petya malware worked by infecting systems and demanding a ransom of $300 to get encrypted files back. The ransomware was known to scan local networks to detect EternalBlue SMB exploit and infect systems using the WMIC and PSEXEC tools. Several victims are also known to have paid ransom to get their files back.
Talos Intelligence has conducted an analysis on this ransomware and found that the Petya virus is designed by an Ukrainian firm MeDoc. Even though MeDoc has denied these allegations, informing that they have nothing to do with the ransomware, other security researchers including Microsoft agreed with Talos on the involvement of MeDoc in the ransomware attacks.
However, new analysis conducted by security researchers proved that the ransomware is in fact a wiper malware. It was just designed to look like a ransomware in order to trick victims. The real attacks have been disguised to divert the attention of the media from the petya virus outbreak to the ransomware attacks.
Details gathered from the analysis show that unlike traditional ransomware, the Petya ransomware does not encrypt files on a targeted system one by one. After infecting a system, the malware reboots victims computers and encrypts the hard drive's master file table (MFT). Thus, the Petya malware renders the master boot record (MBR) inoperable. This steals system information such as file names, sizes, and location on the physical disk, and restricts users’ access to the full system. When they can’t gain access to the system information, users believe that they have been victim of the Petya ransomware attack.
Not just that, the Petya ransomware also copies the encrypted MBR and replaces it its own malicious code. The malicious code is responsible for displaying a ransom note on the infected system, stopping the computer from rebooting itself. All of this indicates that the malicious virus is indeed a wiper malware.