A worldwide cyberattack attack — reportedly spread by a ransomware variant called "Petya" — infected computer systems in more than 60 countries June 27. However, upon further inspection, security researchers have hypothesized Petya is not a ransomware — it's a 'wiper.'
Here are three things to know.
1. In an analysis by Kaspersky Lab, security researchers compared the 'installation ID' in Petya code to similar types of ransomware. The installation ID typically contains information about how to unencrypt and recover a target's files. However, in Petya, the information ID is randomly generated.
"After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims' disk, even if a payment was made," Kaspersky Lab researchers determined.
2. Comae Technologies, another cybersecurity firm, alleged Petya purposefully destroyed data under the guise of encryption. The security researchers determined Petya is based on an older version of ransomware, which did unencrypt files. However, the new version overwrites data without saving it.
"2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk," Comae Technologies researchers concluded. "[W]e can see the current version of Petya clearly got rewritten to be a wiper and not [an] actual ransomware."
3. Comae Technologies researchers also emphasized the email address the cyberattacker provided to targets for ransom demands is no longer accessible, suggesting the Petya attack was not financially motivated. "The goal of a wiper is to destroy and damage," they wrote. "The goal of a ransomware is to make money."
In their independent analysis, Kaspersky Lab researchers agreed, stating their finding "reinforces the theory that the main goal of the [Petya] attack was not financially motivated, but destructive."