Yes, the “Petya” ransomware is now being called wiperware and the name has changed to “NotPetya” wiperware. Confused? Well, you shouldn’t be! It happens! “Petya” was first designated as a ransomware campaign because of the ransom screen and presumed encrypted files. Security researchers believe the ransomware threat was just to lure the control of the media narrative, especially since the “WannaCry” campaign had garnished so much attention of the media press. However since the campaign was initiated, security researchers such as Kaspersky Labs scrutinized and analyzed the so-called encryption it was determined that the installation key shown on the ransom note was composed of random characters, which means that the attacker could not extract any decryption information. Unfortunately, as a result, victims were not be able to decrypt any of their encrypted disks because “Petya/NotPetya” is now known to cause permanent damage to users’ systems. Security researchers also noted that the malware purposely overwrote the first 25 blocks on infected disks without regard of having any type of decryption. The mitigation efforts mentioned previously by security analysts at Redport Information Assurance, LLC still remains as the most effective for your defense against the “Petya/NotPetya” ransomware/wiperware campaign which is still very much active. The campaign has now spread drastically and it has been reported that over 2000 cyber-attacks have occurred in over 65 countries. There are also security researcher reports that a vaccine was available rather than a killchain switch which was previously mentioned and not very effective.

By Dr. Randall Sylvertooth

Reference:
http://www.zdnet.com/article/ransomware-in-disguise-experts-say-petya-out-to-destroy-not-ransom/


For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA