So Is the New Ransomware Attack Petya or NotPetya?

Yesterday we reported on the latest ransomware attack, calling it “Petya.” But plenty of experts and news sources reported the attack under a name that literally could not be more opposite: “NotPetya.” So what’s the distinction? Why is a cyberattack so difficult to identify that we can’t all agree on it’s title?

The Case for Petya

You’ve heard of the duck test: If it walks like a duck and quacks like a duck, it is one. Here’s the list of similarities that the recent attack shares with the ransomware already known as Petya, straight from Forcepoint Security Labs’ sample analysis. According to them, the new attack can:

  • Encrypt files on disk without changing the file extension;
  • Forcibly reboot the machine upon infection;
  • Encrypt the Master Boot Record on affected machines;
  • Present a fake CHKDSK screen as a cover for the encryption process; and
  • Present a near identical ransom demand screen after completing its activities.

In short, the attack operates using the same tactics as Petya has historically used.

The Case for NotPetya

However, the attack might not even qualify as “ransomware.” This term refers to attacks that intend to hold data for a ransom, returning it if the company is willing to shell out the bitcoins needed to regain access to its sensitive data. And apparently, the new attack is destroying information outright. Here’s a post from Matt Suiche, founder of Comae Technologies, which explains the difference between ransomware and a “wiper.”

“The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.”

While the 2016 Petya attacks modified data in a way that allows that data to be recovered. But 2017 Petya does an amount of irreversible damage. An email address was once available to send ransoms — triggering the press to cover the attack as if it were ransomware — but it has since gone defunct.

“We believe the ransomware was in fact a lure to control the media narrative,” Suiche explained, adding a paragraph later, “The attacker took an existing ransomware which he repackaged.

[…] The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.”

Regardless of whether you call it Petya or NotPetya, it’s the same threat, and you should take the preventative measures we outlined yesterday in order to keep yourself moderately safe from nation states’ future attacks.

Read more about cybersecurity on TechCo

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Adam is a writer at and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals