The Case for Petya
You’ve heard of the duck test: If it walks like a duck and quacks like a duck, it is one. Here’s the list of similarities that the recent attack shares with the ransomware already known as Petya, straight from Forcepoint Security Labs’ sample analysis. According to them, the new attack can:
Encrypt files on disk without changing the file extension;Forcibly reboot the machine upon infection;Encrypt the Master Boot Record on affected machines;Present a fake CHKDSK screen as a cover for the encryption process; andPresent a near identical ransom demand screen after completing its activities.
In short, the attack operates using the same tactics as Petya has historically used.
The Case for NotPetya
However, the attack might not even qualify as “ransomware.” This term refers to attacks that intend to hold data for a ransom, returning it if the company is willing to shell out the bitcoins needed to regain access to its sensitive data. And apparently, the new attack is destroying information outright. Here’s a post from Matt Suiche, founder of Comae Technologies, which explains the difference between ransomware and a “wiper.” While the 2016 Petya attacks modified data in a way that allows that data to be recovered. But 2017 Petya does an amount of irreversible damage. An email address was once available to send ransoms — triggering the press to cover the attack as if it were ransomware — but it has since gone defunct. Regardless of whether you call it Petya or NotPetya, it’s the same threat, and you should take the preventative measures we outlined yesterday in order to keep yourself moderately safe from nation states’ future attacks. […] The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.” Read more about cybersecurity on TechCo
