Petya cryptographer actually destroys user data, sending meaningless money

On ransomware, which received the name Petya / PetrWrap, many are now writing. And this is not surprising, because it is he who is the central element of the most powerful cyber attack, which affected computers and computer networks of commercial companies, government organizations and individuals in Ukraine, Russia, Belarus and many European countries. Externally, Petya looks like an ordinary cryptographer, whose authors promise to decrypt user data if he sends a ransom.



But the reality is somewhat different. The fact is that under the guise of a cryptographer, a virus-viper (that is, a “eraser) is hiding, the creators of which pursue only one goal - the destruction of the victim’s computer data. Yes, all this is masked by the demand to send money, but it’s still not worth paying. And not only because the operator blocked the e-mail to which it is necessary to send information about the payment. But also because it is all the same meaningless, the data decryption function is simply not provided here.





The cryptographer "really asks the victim for about $ 300 for returning information from the hard drives of the infected computer. The attackers also frighten their victims with the following text:" Do not waste your time. No one can recover your files without our decryption service. "

')

The text works, some users of infected machines still pay, and a lot. At least 50 Petya victims (aka ExPetr, aka NotPetya), who paid a total of $ 10,200 in dollar equivalent, are now known. But the affected users do not know that the attackers have no decryption service. Money rushes to the wind.



According to cybersecurity experts, for their money, these users will receive absolutely nothing, because there is an error in the malicious code that makes it impossible to decrypt files. The company's specialists analyzed the malware code, the area that is associated with file encryption, and realized that after the disk is fully encrypted, the victim loses the ability to get his information back.







The fact is that when processing the file, exPetya does not create a unique installation ID for the program. Accordingly, the user receives a completely random set of characters when deducing the victim’s payment request. Perhaps the new version of ransomware has nothing to do with the original malware Petya, since the original virus created this ID during installation. Here is the piece of code that is responsible for creating the ID.







The screenshot shows that the ID is generated in a random order, which closes the opportunity for the victim to obtain a key to decrypt their files, even if it exists.







An attacker simply has no way to extract information for decoding random characters from a string. The 2016 version of Petya encrypted the disk so that it could be decrypted with a key. All operations with files and disk sectors were performed correctly. But Petya from 2017 permanently damages the wheels.





On the left is a section of the exPetr code, which seems to have turned into a viper.



Moreover, in the exPetr code there is a section that is responsible for the operation of the viper. When this code is activated, the virus completely erases user data. Thus, the malware overwrites the file location table (Master FAT Table) and the master boot record of the computer on which the virus is installed. This is a distinctive feature of the new virus, which is uncharacteristic for ransomware.







Many cyber security experts agree with the above opinion. For example, Matt Suish from Comae Technologies talks about how Petya simply destroys data like other wipers do, including Shamoon. And the goal of the developers of malicious software is completely different than that pursued by the creators of these cryptographers. Everything is simple there - attackers want money. In the case of wipers, the situation is more complicated - what do their creators want, only they know.



Of the other features of the virus, you can call the command to restart the infected PC an hour after the infection. The undocumented WinAPI NtRaiseHardError function is used for this.