This content is part of the Essential Guide: Containing ransomware outbreaks now a top infosec priority

Petya ransomware scam: Lost files can't be restored

Researchers discovered the rash of Petya-like attacks are nothing more than a ransomware scam, and list files are impossible to restore.

Although the Petya-like malware appeared to be ransomware, researchers have found that the attack does not allow for the restoration of affected systems.

Matt Suiche, founder of Comae Technologies, and Kaspersky Lab independently discovered that the global attacks asking for ransom were nothing but a ransomware scam.

Kaspersky Lab said the Petya-like malware was indeed a ransomware scam.

"To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery," Kaspersky Lab wrote in its analysis. "ExPetr (aka NotPetya) does not have that installation ID, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data."

According to Suiche, while older versions of Petya ransomware would read each sector of a disk and reversibly encode them, this Petya-like malware "does permanent and irreversible damages to the disk" by overwriting sector blocks.

Suiche said this means the attacks were ransomware scams and the malware should be considered a "wiper," because its intent was not to make money, but to "destroy and damage."

"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon," Suiche wrote in a blog post. "The fact of pretending to be a ransomware while being in fact a nation state attack -- especially since WannaCry proved that widely spread ransomware aren't financially profitable -- is in our opinion a very subtle way from the attacker to control the narrative of the attack."

Additionally, while the bitcoin address associated with the ransomware scam has received 45 payments worth approximately $10,000 at the time of this post, the email address connected to the attackers has been shut down.

Next Steps

Learn why ransomware mitigations strategies can include paying.

Find out why the FBI suggests victims don't pay ransom.

Get info on why most don't pay ransom in crypto-ransomware attacks.

Dig Deeper on Threats and vulnerabilities