The original creator of Petya ransomware is now offering to help combat a modified version of the germ that shut down computers belonging to thousands of companies in over 64 countries.
Petya was initially created to function as a potent ransomware but has lately been modified to attack large corporations in Ukraine.
Petya was born in March of last year as a potent ransomware that could encrypt ‘master file tables’ in computers at a time when other ransomware variants were only able to encrypt individual files. This way, it could operate much faster and also made it more difficult for experts to decrypt encrypted files.
Petya’s creator, who calls himself Janus on Twitter, started selling the ransomware to other hackers and this is how the ransomware landed in the hands of those who decided to modify it for more destructive purposes.
“Some researchers suggested that the new ransomware might be either WannaCry (it’s not), or some variation of Petya ransomware. Kaspersky Lab experts concluded that the new malware is significantly different from all earlier known versions of Petya, and that’s why we are addressing it as a separate malware family. We’ve named it ExPetr (or NotPetya – unofficially),” noted researchers at Kaspersky Labs.
The researchers also discovered that unlike any standard ransomware, the new malware could not decrypt victims’ disks since it did not contain any Installation ID. Such installation IDs are always present in previously known ransomware such as Petya itself, GoldenEye or Misha. The researchers have, as a result, asked companies and individuals not to pay ransom as it won’t help.
“ExPetr (aka NotPetya) does not have that installation ID (the ‘installation key’ shown in the ExPetr ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data,” the researchers added.
In a major boost to global efforts aimed at containing and finding hackers behind the new malware, the original creator of Petya has now surfaced and is presently inspect the malware.
“We’re back havin a look in “notpetya” maybe it’s crackable with our privkey #petya,” said Janus.
The fact that Petya (NotPetya) isn’t a traditional ransomware but a malicious malware masquerading as one, has been claimed by various experts ever since the cyber-attack took place. A Ukrainian member of parliament has termed the malware as ‘a cyber attack with the ultimate goal of an attempt to destabilize the situation in the economy and public consciousness of Ukraine was disguised as an attempt to extort money from computer owners.’
Janus hasn’t shared any new information concerning the new malware variant so far but researchers elsewhere have already found a brilliant method to curtail the malware’s spread. By creating a file named perfc with no extension name and placing it in the C:\windows\ folder, researchers found that they could stop the malware from running. However, the method hasn’t helped them in finding out the source of the attack or how to obtain its source code.