Some researchers say it’s really designed to seek and destroy, not to grab your money.


The newest may not be ransomware at all, according to some researchers.

Some say the malware that infected thousands of computers and left ransom notes behind yesterday had a secret mission.

Not ransom, but instead destruction on a large scale.

It was likely a nation-state attacking another country, using the guise of ransomware to make it look like a money-making scheme, said Matt Suiche, founder of cybersecurity company Comaeio, in a post today.


One of the first things you’ll see if you’re infected by Petya.2017, according to Malwarebytes Labs. Image credit: Malwarebytes Labs


Dirty secret?

You may remember the name of the ransomware that shut down hospitals and businesses in May.

Many called it “WannaCry.”

The new malware that hit yesterday goes by many different names: Petya, NotPetya, PetyaWrap, ExPetr.

That’s because it is similar to an older ransomware called Petya, but with some changes, and researchers often pick their own monicker to describe it.

Suiche named it “Petya.2017.”

He says it’s not really ransomware, but a “wiper” that wipes out your data rather than holding it for ransom.

If true, you can’t ever get your data back. Even if you pay up.

“The goal of a wiper is to destroy and damage,” he wrote. “The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”


Petya.2017 ransom note. Image credit: Kaspersky Lab



The Petya.2017 attack started in Ukraine, which has been under cyber siege for some time, including game-changing power system hacks in 2015 and 2016 and constant barrages against government websites and computer systems.

Suiche sees a connection between past attacks and yesterday’s massive cyber bombing.

“Lately, the number of attacks against Ukraine increased from Power Grids being shut down to the car a top military intelligence officer exploding yesterday  —  the day Petya.2017 infected Ukraine,” Suiche said.


A Ukrainian substation affected by a hacker-casued outage in December 2016, according to Wikimapia. Creative Commons license Attribution-ShareAlike (CC-BY-SA)


When WannaCry ransomware ran rampant on the world last month, there were many targets.

Not this time, said cybersecurity company Kaspersky Lab.

“The key difference with this new ransomware is that this time, criminals have chosen their targets with greater precision: Most of the victims are businesses, not consumers, wrote Kaspersky Lab’s Nikolay Pankov in a post. “The worst part is that far more critical infrastructure facilities are among the victims of this malware.”

Petya.2017 took out Ukraine’s Chernobyl nuclear plant’s radiation-monitoring system, delayed flights at capital city Kiev’s airport, and forced government computers to go dark, reports said.

The malware can spread from one computer to another, and eventually sabotaged computer systems in other countries — hospitals in the U.S., a big U.S. drug manufacturer, the maker of Oreo, Nabisco, and Cadbury, a shipping company in Denmark and more, according to reports.



Fake ransom note?

Although Petya.2017 throws a ransom note on your screen, there’s no way for you to actually get your data back, some researchers said.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have confirmed that the threat actor cannot decrypt victims’ disk, even if a payment was made,” said Kaspersky Lab’s Anton Ivanov.

“Our experts discovered that this malware has no mechanism for saving the installation ID. Without this ID, the threat actor cannot extract the necessary information needed for decryption,” Pankov wrote. “In short, they are simply unable to help victims with data recovery.”



In disguise

Why show the ransom note?

To fool people into thinking it’s an act of theft by cyber vandals, when it’s really one country trying to destroy another, according to Suiche.

Countries have done similar attacks in the past, for example when a nation-state destroyed 30,000 computers in Saudi Arabia with a malware siege called Shamoon.

“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon,” Suiche said.


Shamoon hit Saudi Arabian company Aramco in 2012. Image: Aramco building in Milan. Photo credit: dhublimited via / CC BY



The epicenter of the attack may be a Ukrainian tax accounting software company.

Someone may have hacked into M.E.Doc and planted Petya.2017 in its system, according to a report by Microsoft.

When M.E.Doc sent out an update for its software, Petya.2017 would have infected computers using the company’s product and then spread beyond, according to the research.

For its part, M.E.Doc declared it was not the source of the problem on its Facebook page.

“We want to draw your attention: M.E.Doc did not spread the virus,” the post said.


Ukrainian company M.E.Doc said it “did not spread the virus” on its Facebook page.


Who’s behind it?

Neither Suiche nor Kaspersky Lab said who might have launched this attack on Ukraine — and then the world.

Experts say it can be very hard to determine the real villain behind a cyber crime.

Either way, you need to protect your computer and your systems.

Even if you are not in the site of a nation-state’s cyber weapon, you could become a casualty of digital war.


Here are three ways to protect your computer from the new Petya malware from Forbes.

The United States Computer Emergency Readiness team has how to protect against ransomware in general.

See also “Surviving the new global ransomware attack” by Archer News Network.