Analysts at Kaspersky Lab have done some digging into the NotPetya ransomware that has infected PCs around the world this week and discovered something interesting.
While initial reports (including our own) suggested that the ransomware was similar to Petya – hence being christened with the name NotPetya – Kaspersky has said that aside from a few similar strings, the ransomware is entirely different from its namesake.
“Our preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before,” said the firm.
“We have named it ExPetr.”
At time of writing Kaspersky has identified close on 2 000 users that have been hit with ExPetr with organisations in Russia and the Ukraine accounting for the largest portion of compromises.
The firm has also registered hits in Poland, Italy, Germany, France, the US and the UK.
Your data might be gone forever
After conducting analysis of the ransomware Kaspersky Lab indicates that users hoping to get their data back are in for a fight.
“We have analysed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim’s disk threat actors need the installation ID,” Kaspersky said.
“ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.”
The point of ExPetr then remains the same – this ransomware is meant to destroy and it appears to be doing a good job of that.
Kaspersky Labs has advised that companies and even the folks at home insure Windows is up to date (for Windows 7 and XP users you can download patch MS17-010 manually) and that regular backups are made to prevent data loss.
In the meantime Kaspersky Lab has said it will continue to analyse the code to see whether it is possible to decrypt data locked down by ExPetr with the intent of creating a decryption tool.