The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

The NotPetya ransomware first appeared in Ukraine earlier this week, affecting various institutions including airports, before spreading worldwide, hitting more than 2,000 organisations. Unlike the original Petya, though, this variant appears to only have damaging intentions, according to analysis by Malwarebytes (and separately by Kaspersky).

The initial attack occurs in the same way as Petya: the beginning of the disk is overwritten by the Peta kernel and bootloader, and the Master File Table is encrypted with Salsa20. That is the low-level part.

New logic has been implemented in the high-level part of NotPetya (the Windows executable). In the past, the Salsa ransom key was restored and the victim could decrypt the Master File Table. However, with NotPetya the key appears to be unrecoverable, and the files are gone forever.

After encryption, Malwarebytes discovered that the victim’s Salsa key is erased from the disk. In previous versions of Petya, the victim ID was the Salsa key, encrypted and converted to Base58 string – that meant that a backup of the key was there, accessible only to the attackers.

However, with the new variant the victim ID is generated randomly, before the Salsa key is made – there is no relationship between the two.

Malwarebytes concludes that NotPetya is intentionally corrupt. Victims that pay the ransom (about $300 in Bitcoin) have no cause for doing so – their files cannot be recovered. Despite this, payments have been made to the account.

Like Petya, NotPetya moves laterally within a network: a single infected machine is all that it takes. Microsoft has written an in-depth analysis of this in a blog, with a follow-up article discussing the global spread. More than 70 per cent of affected machines were in Ukraine, and most infections were observed in Windows 7 computers.