Yesterday we reported on the latest ransomware attack, calling it “Petya.” But plenty of experts and news sources reported the attack under a name that literally could not be more opposite: “NotPetya.” So what's the distinction? Why is a cyberattack so difficult to identify that we can't all agree on it's title?
The Case for Petya
You've heard of the duck test: If it walks like a duck and quacks like a duck, it is one. Here's the list of similarities that the recent attack shares with the ransomware already known as Petya, straight from Forcepoint Security Labs' sample analysis. According to them, the new attack can:
- Encrypt files on disk without changing the file extension;
- Forcibly reboot the machine upon infection;
- Encrypt the Master Boot Record on affected machines;
- Present a fake CHKDSK screen as a cover for the encryption process; and
- Present a near identical ransom demand screen after completing its activities.
In short, the attack operates using the same tactics as Petya has historically used.
The Case for NotPetya
However, the attack might not even qualify as “ransomware.” This term refers to attacks that intend to hold data for a ransom, returning it if the company is willing to shell out the bitcoins needed to regain access to its sensitive data. And apparently, the new attack is destroying information outright. Here's a post from Matt Suiche, founder of Comae Technologies, which explains the difference between ransomware and a “wiper.”
“The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”
While the 2016 Petya attacks modified data in a way that allows that data to be recovered. But 2017 Petya does an amount of irreversible damage. An email address was once available to send ransoms — triggering the press to cover the attack as if it were ransomware — but it has since gone defunct.
“We believe the ransomware was in fact a lure to control the media narrative,” Suiche explained, adding a paragraph later, “The attacker took an existing ransomware which he repackaged.
[…] The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.”
Regardless of whether you call it Petya or NotPetya, it's the same threat, and you should take the preventative measures we outlined yesterday in order to keep yourself moderately safe from nation states' future attacks.
Read more about cybersecurity on TechCo