nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

'Janus' resurfaces: I was behind the original Petya. I want to help with NotPetya

Ordinary decent cybercriminal... or?

By John Leyden, 29 Jun 2017

A Twitter user purporting to speak for the cybercrime group behind the original Petya ransomware has claimed they want to help "repair" the damage caused by this week's attack.

The Twitter account Janus Cybercrime Solutions (@JanusSecretary), which went dark for a time after the original Petya outbreak, was reactivated on Thursday – and it's not down with the chaos caused in Ukraine and beyond this week following the spread of somewhat similar code that encrypted compromised systems.

"we're back havin a look in "notpetya" maybe it's crackable with our privkey #petya @hasherezade sadly missed ;)," said the Twitter update.

Independent security experts said that differences between how the latest nasty and the original malware works mean that the assistance of the original malware's author or authors, even if genuine, is unlikely to be much help.

Security researcher Hasherezade offered a code sample comparison here (the earlier sample is from Malwarebytes):

The Petya / NotPetya / Mischa / Goldeneye malware unleashed this week shares similarities with the original Petya, but security experts are increasingly coming around to the view that it's a tool for sabotage rather than conventional ransomware (or a wiper masquerading as ransomware, as Kaspersky Lab puts it).

The threat actor cannot decrypt victims’ disk, even if a payment was made, according to Kaspersky. This is not just because the email address ostensibly there so that victims can talk to the miscreants behind the attack has been deactivated and relates to how the encryption routine run by NotPetya works.

We have analysed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim's disk threat actors need the installation ID. In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery.

ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.

NotPetya encrypts the Master File Table (MFT) on compromised PCs before discarding this key, other experts point out.

"‪#Petya‬ actually deletes its own MFT encryption key, making decryption virtually impossible, even for the author. ‪#NotRansomware‬," said Rik Ferguson, VP of security research at Trend Micro.

NotPetya was designed to spread quickly and cause the maximum amount of damage. An antidote might yet be developed but the assistance of the authors of the original Petya nasty wouldn't make much difference either way.

"Regular ransomware authors must be terribly frustrated that NotPetya did damage to their reputation of 'pay and you'll get your files back'," joked Martijn Grooten, editor of industry journal Virus Bulletin in a Twitter update. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing