The NotPetya malware isn’t ransomware, it’s a cyberweapon designed to destroy data: Experts

CERT-LatestNews KasperskyNews Malware ThreatsCybercrime ThreatsStrategic

The 27 June malware attack that crippled computers around the world was thought to be ransomware at first, but as it turns out, it’s much more than that.

The initial infections by the malware suggested that it was based on the Petya malware that infected PCs in 2016. It was later discovered that this malware only resembles Petya in function. A number of cyber security researchers including those at Kaspersky Labs and Check Point Software, came to the conclusion that the malware destroys data rather than encrypt it. Ransomware would not do this.



Once a PC is infected, the malware forces it to shut down and then demands a ransom of $300 in Bitcoin for access to the PC. The affected user is also asked to send a 60-digit, alphanumeric, case sensitive key to an email ID ([email protected]). As ArsTechnica points out, this is also not normal for ransomware. Asking users to enter a complicated key would normally turn people off. If the purpose of the malware was to make money, this step wouldn’t have been included.

We would also like to clarify that there is a great deal of confusion surrounding the name of the malware. While it was originally dubbed Petya, the recent discoveries have now earned it the name of NotPetya. For the sake of convenience, we will refer to this malware as NotPetya.

NotPetya is, well, not Petya

If this malware was based on Petya, the data would still be recoverable. 2016’s Petya malware only encrypted a computer’s Master Boot Record (MBR) and Master File Table (MFT), which meant that the data was recoverable with the right key. NotPetya deletes the MFT and overwrites the MBR with custom code responsible for the ransom message that people see. The data on the hard disk is rendered unreadable.

The MBR and MFT are critical to a system’s operation. Think of them as ledgers that store the location of every single bit of data on your hard disk. Without that ledger, there will be no record of the data stored on the disk. For all intents and purposes, your disk now contains utterly random bits of data.



While it is possible to recover your your data and MBR in certain conditions, it’s by no means guaranteed and the data is as good as lost.

This is the first pointer that the malware is more than just ransomware. The second pointer is the fact that the email ID mentioned in the ransom letter went down on Tuesday itself. The third, and most damning pointer, as reported by ArsTechnica is the fact that the malware was specifically designed to target the update mechanism for M.E. Doc, an accounting application used by Ukranian businesses to file their tax returns.

M.E.Doc issued a statement on its Facebook page stating that the software’s update mechanism was not compromised. The statement is in Russian, and loosely translated, suggests that the virus only spread and infected PCs via infected attachments, Windows exploits, etc. In the statement, the company claims that its code is safe and that its latest update is also safe.


A researcher who goes by the name of ‘the grugq’ published a detailed explanation of the malware’s functioning on Medium. He points out that “the code is well written”, unlike the sloppy code that made up WCry, and was designed to thwart antivirus (AV) programs. At the same time, the mechanism for collecting payments is extremely sloppy, says grugq.

At this point, there is no doubt that the malware targets M.E.Doc and by extension, Ukraine.

Closer to home, the infection that crippled operations at the APM Maersk terminal at Jawaharlal Nehru Port Trust (JNPT) — the rest of the port’s systems don’t seem to be infected — is likely to have been caused by Maersk’s use of the M.E.Doc application. This isn’t confirmed, but a job opening for an M.E. Doc expert posted by Maersk on 27 June suggests that the infection and the app are connected.

A report on Forbes also seems to suggest that any infections outside of Russia and Ukraine are likely caused by a M.E.Doc infection than by other means.

Image: Kaspersky Labs

Image: Kaspersky Labs

Image: Kaspersky Labs

Lastly, data gathered by Kaspersky Labs on 27 June clearly indicates that the malware is targeting Ukraine.

Putting all these pointers together, there is only one conclusion that can be drawn. Ukraine has been the victim of a state-sponsored terrorist attack.

NotPetya is a cyberweapon, not ransomware.

Publish date: June 29, 2017 9:57 am| Modified date: June 29, 2017 9:57 am

Tags: , , , , , , ,