‘Little Hope’ to Recover Data Lost to Petya Ransomware

Researchers at Kaspersky Lab have discovered an error in the ExPetr ransomware code that prevents recovery of lost data.

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend.

Fewer than 50 ExPetr/Petya ransomware victims have paid approximately $10,200 in Bitcoin so far in the hopes of unlocking encrypted hardware and recovering scrambled files.

It’s likely not going to matter much.

Researchers at Kaspersky Lab have discovered an error in the malware’s code that prevents recovery of data. This, combined with the actions of German email provider Posteo in shutting down the attacker’s email address preventing victims from contacting the attacker in order to verifying payments, has left thousands of victims in dire straits.

“Our analysis indicates there is little hope for victims to recover their data,” Kaspersky Lab said in a statement. “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

The issue is the lack of an installation ID that contains the information necessary for key recovery, Kaspersky Lab said. The original Petya infections, for example, contained the necessary installation ID.

“ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption,” Kaspersky Lab said. “In short, victims could not recover their data.”

The ransomware contains a wiper component that overwrites the Master File Table and Master Boot Record of infected machines. This type of destructive behavior is atypical of ransomware and has led one prominent researcher to speculate that the ransomware aspect of Tuesday’s attack was a cover.

“The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Comae Technologies’ Matt Suiche wrote in an¬†analysis¬†published today. “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”

Meanwhile, the ShadowBrokers, the mysterious group responsible for the leak of the NSA exploits responsible for spreading yesterday’s ransomware as well as WannaCry, took a new, more hostile tone in a post today.

The messaging was part marketing of its monthly data dump subscription service and part attack against a person on Twitter it refers to as “Doctor.” The ShadowBrokers allege this individual is a former NSA Tailored Access Operations agent who carried out operations against interests in China.

The ShadowBrokers say “Doctor” is the cofounder of a new venture-funded security company and threaten if this person does not subscribe to its July dump, the group may dox him. From today’s announcement:

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ persons choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company.”

The ShadowBrokers also said it has received small payments from a hidden service URL which the group called out as possibly being the FBI. A comment posted to the ShadowBrokers’ site, however, refutes that allegation and claims they are instead an operator on the Dark Web and the payment was a gesture toward a future business relationship.

Suggested articles