Petya designed to destroy, not ransom users

The Petya/GoldenEye malware that wreaked havoc on Windows computers worldwide this week was most likely designed to destroy rather than ransom victims' files, according to security researchers.

Comae Technologies founder Matt Suiche believes the Petya variant used in Ukraine is a disk wiper that overwrites the first 25 sector blocks of target systems' hard disks. 

Disk wipers such as the Shamoon malware have been used in sabotage operations against Saudi oil companies, with Iran widely assumed to be the culprit.

Suiche compared the original Petya version with the current strain of malware, noting it doesn't attempt to save the hard disk sector blocks so they can be decrypted after ransom has been paid, and an unscrambling key received.

"2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas 2017 Petya does permanent and irreversible damages to the disk," Suiche said.

Suiche's analysis is backed up by security vendor Kaspersky, which also labelled the current version of Petya a data wiper pretending to be ransomware.

Kaspersky dug into the Petya decryption routine and found that the installation identifier required for key recovery is essentially random data.

This means it is not possible to extract decryption information from the installation identifier.

Victims of Petya will not be able to unscramble their data even if they pay ransom, Kaspersky said.

Security researcher The Grugq earlier noted that the function to receive ransom payments in Petya is "extremely poor".

This was simply an email address that the service provider disabled within hours of the Petya attacks starting, further pointing to the malware being designed to destroy data rather than extort money, he said.

Suiche speculated that the ransomware function was designed to take attention away from the real, destructive purpose of Petya.

"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," Suiche said.