"That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim. As a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID," they added.
On top of that, paying the ransom is no longer possible since the e-mail address to which victims should send their bitcoin wallet ID and personal installation key to has been taken down by the provider, according to another security company ESET. Kaspersky Lab said removing the e-mail address only supports its theory that the cyberattack is not driven by financial gains.
"This is the worst-case news for the victims - even if they pay the ransom, they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destruction," said Ivanov and Mamedov.
Meanwhile, Suiche believes using and repackaging an existing ransomware is just a way for the attacker to hide his/her identity.
"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," he said.
Sign up for CIO Asia eNewsletters.