Perpetrators of the Tuesday's (27 June 2017) cyberattacks, which affected around 2,000 organisations worldwide, might not have been after financial gains after all.
Recent findings by cybersecurity companies Kaspersky Lab and Comae Technologies found that the virus that crippled computer systems earlier this week is not a ransomware, but a wiper.
"After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we [have come to a conclusion] that the threat actor cannot decrypt victims' [infected] disk, even if a payment was made," wrote Kaspersky Lab analysts Anton Ivanov and Orkhan Mamedov in a blog post on Wednesday (28 June 2017).
"This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears that it was designed as a wiper pretending to be ransomware," they added.
Compared to ransomware that only locks up files until a ransom is paid, a wiper is designed to completely destroy the computer system.
Comae Technologies compared the cyberattack on Tuesday with the Petya in 2016 to determine the identity of the recent malware. Similarly, the two viruses targeted the master boot record (MBR). However, while the 2016 Petya only encrypted systems, the recent virus "purposely" overwrites the MBR thus removing the chance of restoration.
"A ransomware has the ability to restore its modification such as restoring the MBR like in the 2016 Petya, or decrypting [locked] files once the victim pays. [However,] a wiper would simply destroy and exclude possibilities of restoration," Matthieu Suiche, founder of Comae Technologies, wrote in a separate blog post.
As reported earlier, the new virus does not only encrypt files but also the MFT tables for NFTS partitions and overrides the MBR, thus preventing infected computers to boot up. The infected PCs would also show a ransom note demanding users to pay US$300 in bitcoins, as well as require them to send their bitcoin wallet ID and personal installation key to a certain e-mail address to obtain the decryption keys.
However, Kaspersky Lab found a flaw in the installation key posted on ransom notes.
In its test case, the company said the installation key on the infected computer was built using CryptGenRandom function that merely generates random data. It also showed a buffer containing randomly generated data in an encoded "BASE58" format.
Apparently, the installation key in the PC and the randomly generated data are similar. "In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the ransom screen is just plain random data," Ivanov and Mamedov detailed.
Sign up for CIO Asia eNewsletters.