Those responsible for the Petya cyberattack that began Tuesday in Ukraine and Russia don’t appear to be in it for the money, some security researchers have concluded. The new malware might also have a different source than the original Petya ransomware, which made its first appearance in 2016.
These are just a few of the new details emerging about the malware that has affected at least 12,500 machines around the world, crippling systems operated by the Kiev airport, Russian energy firm Rosneft, Danish shipping giant Maersk, international marketing firm WPP, and even the chocolate-maker Cadbury. For example, to continue taking bookings from shipping customers, Maersk reverted to handling orders manually, the shipping site Splash 24/7 reported.
While Petya first appeared to be ransomware, which encrypts a victim’s computer files and demands payment for decryption, the malware seems more likely to have been intended to cause chaos, researchers at Kaspersky Lab and Comae Technologies said during a webinar yesterday. With the creator of the original Petya ransomware calling the new malware “notpetya,” investigators are also seeking to identify which individuals, organizations, or state actors might be responsible for this week’s attacks. The malware has also been dubbed Nyetya, Pnyetya, and PetrWrap.
‘A Wiper Not Ransomware’
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made,” Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov wrote Wednesday on the company’s SecureList blog. “This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”
Matt Suiche, founder of Comae Technologies, reached the same conclusion, noting in a commentary on Medium Wednesday that Petya.2017 is a…