The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Dubai-based Comae Technologies and Kaspersky Lab experts, according to Bleeping Computer.
Experts told Bleeping Computer that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, but clues hidden in its source code reveal that users will never be able to recover their files.
This has nothing to do with the fact that a German email provider has shut down the NotPetya operator’s email account. Even if victims would be able to get in contact with the NotPetya author, they still have no chance of recovering their files.
This is because NotPetya generates a random infection ID for each computer. A ransomware that doesn’t use a command-and-control server — like NotPetya — uses the infection ID to store information about each infected victim and the decryption key.
Because NotPetya generates random data for that particular ID, the decryption process is impossible, according to Kaspersky expert Anton Ivanov.
“What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” said Ivanov.
Kaspersky’s discovery was also reinforced by a separate report released by Comae Technologies researcher Matt Suiche, who found a totally different flaw but reached the same conclusion.
In his report, Suiche describes a faulty sequence of operations that would make it impossible to recover the original MFT (Master Tree File), which NotPetya encrypts. This file handles the location of files on a hard drive, and with this file remaining encrypted, there’s no way to know where each file is where on an affected computer.
“[The original] Petya modifies the disk in a way where it can actually revert its changes. Whereas, [NotPetya] does permanent and irreversible damages to the disk,” Suiche said.