Skip to main content

Was this week's Petya attack even ransomware?

This week saw yet another major online infection grab the headlines again, with a rebooted version of the Petya ransomware sweeping the globe.

Apparently originating in Ukraine on Tuesday, before branching out to affect organisations in over 80 countries, including the US, Australia and the UK, businesses are scrambling to ensure they have not been infected by the new attack, and that if not, they remain safe and secure against such assaults.

However researchers now believe that this week's attacks, now widely being referred to as 'NotPetya' or 'Goldeneye', may not actually be a ransomware attack at all - but something completely different.

Experts at Kaspersky Lab (opens in new tab) have carried out an in-depth analysis of the NotPetya malware, and now believe that the attack was only pretending to be ransomware in order to dupe victims out of sending them money.

With the recent WannaCry attacks still looming large in many people's minds, the hackers looked to capitalise on wider fears of cyber security to effectively scare businesses into handing over money for nothing.

Kaspersky Lab's researchers found that although NotPetya looked like a ransomware attack, the encryption routine used in the malware did not allow the attackers to decrypt victim's hardware - even if they had sent over payment to do so, as is usual in most ransomware attacks.

In fact, the team now believes it to be a so-called 'wiper' malware, which instead overwrites the crucial parts of a disk that need to run and power your computer - deleting them for good, rather than just encrypting them to be released in the event of payment, as ransomware does.

(Image credit: Image source: Shutterstock/Sergey Nivens)

This week's attack was particularly noteworthy for how fast it spread, with organisations around the globe being infected within hours of the initial detection.

WannaCry was similar, tying in its ransomware with a worm malware, which allowed it to quickly spread and infect a network. NotPetya, which used a similar tactic, however only looked to exploit a single unprotected machine, from where it would then launch across a network.

This again seems to back up the theory that this week's attack was designed to cause panic and mayhem, rather than just being for pure financial gain.

The Kaspersky Lab team also noted that the fact NotPetya was not ransomware should have also been apparent when looking at how difficult the criminals made it for victims to pay up and get their data released.

The researchers noted that only a single Bitcoin wallet was used to accept payment of around $300 of the cryptocurrency, rather than utilising multiple payment destinations to rake in as much money as possible.

It was reported earlier this week that the criminals used Posteo, a German email hosting service, to accept payments, (which was quickly shut down) which also raised suspicions, as victims were told to email the hackers with long strings of characters which then had to be entered exactly correct in order to get back their data - except of course, that the email address was no longer working.

There's still no concrete information as to who exactly was behind the attack, with suspicions falling on criminal groups around the world, as well as the usual phantom of state-sponsored attacks. 

Given the wide-ranging nature of NotPetya, though, it seems more likely that this was an attack set up to cause mayhem and disruption to as many businesses as possible - and only time will tell who was behind it.

Mike Moore is Deputy Editor at TechRadar Pro, and has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and ITProPortal.