from the achievement-unlocked dept.
Submitted via IRC for Bytram
The master decryption key for last year's Petya ransomware was made public last week and has since been confirmed to be genuine.
Petya ransomware first emerged in March 2016, distinguishing itself from similar malware by encrypting the Master Boot Record (MBR) instead of individual files. Soon after its initial appearance, Petya was paired with another ransomware, and the pair became available as a service a couple of months later.
The last known variant of the malware was spotted in December 2016 and was referred to as GoldenEye. Dubbed PetrWrap, a ransomware family observed in March this year was using Petya for its nefarious purposes, but wasn't created by Janus Cybercrime Solutions, the name Petya's author goes by.
[...] Kaspersky security researcher Anton Ivanov has already confirmed that the key works for all Petya versions, including GoldenEye.
The release of the master decryption key is great news for those Petya victims who were unable to restore their files to date. Last year, security researchers managed to crack the first two versions of the ransomware, and the only variant not decrypted before was GoldenEye.
"Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back," Hasherezade explains.
The newly released master key, however, won't help users hit by NotPetya.
Key is for the original Petya not NotPetya.
The Insurance Journal is asking if the NotPetya Windows worm was an act of war. If so, that would change any potential obligations carried by insurance policies towards claimants, in this case Merck & Co. NotPetya took over Windows computers in 2017 but was apparently originally intended to target Ukrainian Windows computers. The rest of the Windows computers may have just been collateral damage.
By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.
It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.
The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.
In all, the attack crippled more than 30,000 laptop and desktop [Windows] computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she'd lost 15 years of work. Near Dellapena's suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. "For two weeks, there was nothing being done," Dellapena recalls. "Merck is huge. It seemed crazy that something like this could happen."
Earlier on SN:
Windows 7 and Server 2008 End of Support: What Will Change on 14 January? (2020)
Cyber Insurance claims NotPetya was an act of war (2019)
Original Petya Master Decryption Key Released (2017)
The knock-on effects for the rest of the world might not be limited to intentional reprisals by Russian operatives. Unlike old-fashioned war, cyberwar is not confined by borders and can more easily spiral out of control.
Ukraine has been on the receiving end of aggressive Russian cyber operations for the last decade and has suffered invasion and military intervention from Moscow since 2014. In 2015 and 2016, Russian hackers attacked Ukraine's power grid and turned out the lights in the capital city of Kyiv— unparalleled acts that haven't been carried out anywhere else before or since.
The 2017 NotPetya cyberattack, once again ordered by Moscow, was directed initially at Ukrainian private companies before it spilled over and destroyed systems around the world.
NotPetya masqueraded as ransomware, but in fact it was a purely destructive and highly viral piece of code. The destructive malware seen in Ukraine last week, now known as WhisperGate, also pretended to be ransomware while aiming to destroy key data that renders machines inoperable. Experts say WhisperGate is "reminiscent" of NotPetya, down to the technical processes that achieve destruction, but that there are notable differences. For one, WhisperGate is less sophisticated and is not designed to spread rapidly in the same way. Russia has denied involvement, and no definitive link points to Moscow.