NotPetya attacker can’t provide decryption keys, researchers warn

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

While defenders and security researchers are sifting artefacts that could help prevent new NotPetya ransomware attacks and perhaps point to the identity of the attacker, the victims are trying to recover their systems.

NotPetya decrypt fail

Judging by the Bitcoin wallet to which ransom payments are to be made, some 45 organizations have attempted to go that route. As I’m writing this, the wallet holds nearly 4 Bitcoin (around $10,200).

But it’s very doubtful that those that chose to pay the ransom actually managed to get their files back.

For one, the only way to get in contact with the attacker is through an email address opened with German email service provider Posteo, and the provider has suspended the account almost right away.

Secondly, even if the email address was still working, it’s highly likely that the attacker is not interested in helping the victims.

Decryption is not possible

Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov say that after an analysis of the encryption routine of the malware, they found that the attacker can’t decrypt victims’ disk, even if a payment is made.

The installation key (ID) that the victims need to provide in order to get the decryption key back is a useless, randomly generated string, they noted.

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware,” they added.

Matthieu Suiche, CEO of cybersecurity firm Comae, is of the same opinion.

“This variant of Petya is a disguised wiper,” he says. “[The] 24 sector blocks following the first sector block are being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encode them.”

He believes that the ransomware disguise was an attempt by the attacker to control the media narrative of the attack, and initially pass it as the work of cybercriminals, not nation-state attackers.

While you’re here, check out: