The ransomware used code from Petya
The ransomware used code from Petya

Although yesterday's attacked has been widely dubbed a “Petya” attack, researchers are already beginning to question whether the ransomware used was really Petya at all.

Kaspersky Lab, have bluntly dubbed the ransomware NotPetya. Vyacheslav Zakorzhevsky, head of anti-malware team at Kaspersky Lab told SC Media UK yesterday, “Our preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya.”

Today, Zakorzhevsky updated his previous analysis, adding, “while it has several strings similar to Petya, it possesses entirely different functionality. We have named it ExPetr.”

Bitdefender maintain, as the company first reported, that the ransomware used is GoldenEye, an improved version of Petya. GoldenEye, Bitdefender reasons, shares chunks of code with Petya, and combines components from Petya, WannaCry and other versions of GoldenEye, making it a new threat.

While many agree that it shares characteristics with Petya, fewer are comfortable with labelling it that outright. Chris Wysopal, CTO at Veracode told SC that “this attack has similar characteristics of Petya, but I believe Kaspersky is right that it is not in fact Petya and is completely new.” He noted that when you plug this piece of ransomware into VirusTotal, only two anti-virus vendors could detect it, “so it is likely that many systems are defenceless.” Classic Petya, unlike this, would have shown up in many more. “This shows how easy it is for malware writers to bypass endpoint security by modifying any code they are reusing.”  

MalwareTech, the security researcher that shut down last month's WannaCry attacks by finding its “killswitch”, expanded on this apparently frankensteined piece of ransomware. He noted that this piece of ransomware encrypts a targeted endpoint's Master Boot Record, a signature move for Petya, “in a way which is very similar to Petya and not commonly used in other ransomware.”

Fabian Wosar, an Emsisoft security researcher, wrote in a blogpost on MalwareTech's site that of Petya's key components, only the boot loader comes from Petya. Whoever created NotPetya most likely “ripped the boot loader code straight out of Petya and uses it for their own purposes now. But they implemented their own ransomware, their own worm, their own dropper, and pretty much everything else on top of it.”

Hasherezade, a Polish software engineer and malware analyst known for her work on analysing Petya ransomware, tweeted that although there are cosmetic differences, not a great deal has changed.

She later added in a note posted to Twitter that, the dropper to Petya has often changed between versions: “I think looking from the historical perspective it is fair to call it a new step in the evolution of Petya.”

“The superficial resemblance to Petya is only skin deep,” said security researcher, The Grugq, as he noted that the difference is more profound than a mere name or chunk of code. “The real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware'.”