The virus that began spreading through European computers yesterday informed users that they could unlock their machines by paying a $300 ransom. But it looks like the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.
Matt Suiche, founder of the cybersecurity firm Comae, writes in a blog post today that after analyzing the virus, known as Petya, his team determined that it was a “wiper,” not ransomware. “We can see the current version of Petya clearly got rewritten to be a wiper and not a actual ransomware,” Suiche writes.
The virus going around is a modified take on an earlier version of the Petya virus that was true ransomware. But Comae saw that code had been specifically modified to change it from a virus that encrypts a disk and demands a ransom into a virus that simply destroys the disk.
So then why purport to be ransomware? There’s no way to say for certain right now, but Suiche believes it was about hiding who was really behind the attack. “We believe the ransomware was in fact a lure to control the media narrative,” he writes, saying that ransomware suggests “some mysterious hacker group” being behind the virus “rather than a national state.”
That’s still speculation for now, but the virus did appear to primarily target Ukrainian infrastructure, including an electricity supplier, the central bank, the state telecom, and an airport. Analysis from Kaspersky Lab yesterday showed the virus remaining primarily in Ukraine.