The bandwagon of cyber-security firms claiming that NotPetya was meant for destructive purposes is getting more crowded by the day, with three new additions from Cisco Talos, F-Secure, and Malwarebytes.
This theory was first put forward two days ago by security researchers from Comae Technologies and Kaspersky Lab, who found evidence that the ransomware was bungling its encryption routine and using random data to display the infection ID, respectively.
Both companies highlighted the fact that the NotPetya;s faulty encryption routine was making recovery impossible. Coupled with Ukraine's political context, many experts suggested this was a cyber-weapon designed to destroy as many systems as possible before a Ukrainian national holiday.
In the past two days, other cyber-security companies have confirmed the initial findings. For example, this is the conclusion of a Malwarebytes report published yesterday:
Cisco Talos also reached a similar conclusion in an update to their original NotPetya report:
F-Secure also discovered and presented a few interesting wrinkles in its report. According to the company, NotPetya has three major components: (1) the user-mode component that encrypts a small subset of files and runs the other two components; (2) the MBR component that encrypts the MFT and rewrites the MBR; and (3) the network propagation component that uses WMIC, PsExec, and two NSA exploits to spread to LAN-connected computers.
The Finish antivirus maker says the only component that looked sophisticated, finished, and ready to go, was the network propagation module, meaning NotPetya's authors were more interested in making sure the ransomware reaches as many people as possible.
Similarly, just like Kaspersky, Comae, Cisco, and Malwarebytes before it, F-Secure also confirmed that "decryption of files is not possible," and also said it's becoming less and less skeptical about the possibility of NotPetya being a "nation state" attack.
All these reports about the ransomware's faulty encryption seem to have reached NotPetya victims, who stopped paying ransoms two days ago.