Researchers believe that the massive ransomware attack that infected computer systems around the world on Tuesday may actually be malware designed for purely destructive purposes.
The ransomware deletes — not encrypts — the critical first few sectors of a hard drive called the master boot record (MBR), which is critical for hard drive function. Malware that wipes all or part of a hard drive is known as a wiper.
"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," wrote Matt Suiche, co-founder of Comae Technologies, in a blog post Wednesday.
The ransomware released Tuesday was similar enough to ransomware known as Petya that many have taken to calling it Petya. Distinct differences, however, have led researchers to differentiate between the two, proposing names like "Petna," "NotPetya" and "ExPetya."
NotPetya infected computers worldwide, causing untold damage. Victims ranged from a shipping yard in India to a major pharmaceutical company in the United States.
Though infected computers display a message that a computer's files have been encrypted and can be decrypted if users pay a ransom, that ransom ultimately will have no effect. Users are told to email details about their payment to an email account that is not active.
Even if they could communicate payment of the ransom, it is impossible to recover much of the MBR. Whereas Petya encrypted and decrypted the MBR, with later versions of Petya also encrypting files, NotPetya deliberately overwrites parts of the MBR with no way to recover it.
In an interview with The Hill Tuesday, Ryan Naraine, head of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, said that aspects of the attack were so suspicious that the unit first suspected the ransom message might be a cover for other activities.
“At first we thought this was a cover for a wiper attack like Black Energy,” he said, referencing famous malware with the capacity to delete files.
Ultimately, Kaspersky did not find the evidence that it was anything other than a ransomware attack. Kaspersky did find that NotPetya targeted Ukranian systems specifically, infecting systems via malicious updates to Ukrainian accounting software, as well as targeting other systems through Windows vulnerabilities.