NotPetya: A Sabotage Program In Malware’s Clothing
The NotPetya/GoldenEye virus that has been running rampant in the past few days is not really a malware program. Multiple firms and hacktivist groups have spent hundreds of hours analyzing its code, and it would appear that NotPetya isn’t as benign as it seemed. Any computer infected with NotPetya is unsalvageable, as there is currently no way to decrypt an infected system. The malicious part is that the creators of NotPetya can’t decrypt your lost files either.
The code for NotPetya produces a random string of code that it claims is your “Personal Installation Key.” The code behind this generation has been broken and studied, allowing for researchers to produce their own keys. In a test environment, they infected a system and then used the key to develop the decryption key. The key was useless, as it failed to decrypt any data at all. On further analysis, it was revealed that the Personal Installation Key, which should be similar to the encryption used, had no relation to it at all. This means that even if you paid the ransom to get your files decrypted, you would end up poorer and with a useless computer.
There is currently only one way to recover your files from an infected computer, and that is to turn the machine off as soon as you see the notice that your files need to be checked. This “check” is actually NotPetya starting up, and once you interact with the prompt or a short time after it appears your files will begin to encrypt. You should immediately turn off your computer and remove the power supply, this will stop NotPetya from encrypting your files. If you start your device back up however the encryption process will begin again. Instead, connect an external hard drive and a second computer to the infected machine. From there you can transfer your files to it, and they should be unencrypted still.
The fact that the files are unrecoverable implies that there was a far more sinister motive behind the release of NotPetya. Ransomware is fundamentally motivated by money, it’s a tool for the creator to bring in funds. Sabotageware is just destructive, it doesn’t exist to do anything other than to break systems. There is a real danger of this program destroying something critical before it can be stopped. If a control computer for major infrastructure projects or facilities were to be infected the damage could be catastrophic. Millions of records could be lost irrevocably, or control of vales and safety devices could be removed.
Cyberattacks like NotPetya are part of a growing trend of destructive attacks. Cyberattacks since the beginning of 2017 have stepped up their reach, potency and destructive potential. A major, worldwide cyberattack has occurred twice already. In both cases, these programs were based off older attack programs as well, and they utilized known vulnerabilities in older operating systems. While major companies such as Microsoft have pushed out security updates to patch this weakness, they are purely proactive. They can only respond to threats and very rarely will these patches eliminate the threat of a new attack. The key to defending against these kinds of attacks is to keep your system and antivirus software up to date, as well as not opening any suspicious emails.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.