{"id":2006,"date":"2017-07-03T11:17:56","date_gmt":"2017-07-03T11:17:56","guid":{"rendered":"https:\/\/antivirus.comodo.com\/blog\/?p=2006"},"modified":"2020-08-18T23:02:19","modified_gmt":"2020-08-18T17:32:19","slug":"data-destroying-notpetya-masquerades-ransomware","status":"publish","type":"post","link":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/data-destroying-notpetya-masquerades-ransomware\/","title":{"rendered":"Data Destroying “NotPetya” Masquerades as Ransomware"},"content":{"rendered":"

Did the NotPetya Ransomware Have More Ulterior Motives?<\/strong><\/p>\n

Is the “NotPetya Ransomware” much more than a deadly ransomware? Also being called as Petya, ExPetr, SortaPetya, Petrwrap, Goldeneye, Nyetya, “WannaCry’s bad cousin”, etc…, this global attack has led to shutting down of machines, offices, firms, factories and ports in many countries. Cyber security experts suggest that the “ransomware”<\/a> disguise could have been to mislead organizations, cyber security experts, the press and public until a considerable amount of data had been destroyed.<\/p>\n

\"antivirus<\/p>\n

A Wiper Rather Than a Ransomware<\/strong><\/p>\n

Cyber security analysts poring over its code and how it works inferred that the ransomware threat was just an eyewash. The malware code has “discrepancies” (intentional or otherwise) that would prevent decryption of the encrypted data even if the key was available. NotPetya seems to be a “wiper” \u2013 a destroyer of data, having no idea of allowing any recovery of data. So, even if a victim was willing to pay the demanded ransom, there was no way of recovering the data. Only solution: Recover from backup.<\/p>\n

The NotPetya Ransomware spread worldwide at an alarming rate. Initially, it was believed to be a sophisticated strain of the WannaCry ransomware<\/a> outbreak that had earlier inflicted significant damage affecting networks and systems all over the globe. The reason: NotPetya exploited the same vulnerability in Microsoft Windows operating systems. Later observations, however, revealed that this attack could be a new strain of the Petya encrypting ransomware that had first been detected in 2016.<\/p>\n

The NotPetya Strain<\/strong><\/p>\n

Once the NotPetya malware enters a system\/machine, it waits for a certain period of time during which period it is believed to be stealing credentials (administrative passwords), studying the network and spreading to other computer systems. Then it restarts the infected computer and during the booting process, it displays a screen that – “CHKDSK is running” -, while actually, it is replacing the computer\u2019s Master Boot Record to prevent the user from accessing the operating system, and then encrypting the Master File Table. NotPetya then goes on to encrypt all data on the disk.<\/p>\n

The Capabilities of NotPetya<\/strong><\/p>\n