NotPetya ransom note

The bandwagon of cyber-security firms claiming that NotPetya was meant for destructive purposes is getting more crowded by the day, with three new additions from Cisco Talos, F-Secure, and Malwarebytes.

This theory was first put forward two days ago by security researchers from Comae Technologies and Kaspersky Lab, who found evidence that the ransomware was bungling its encryption routine and using random data to display the infection ID, respectively.

Both companies highlighted the fact that the NotPetya;s faulty encryption routine was making recovery impossible. Coupled with Ukraine's political context, many experts suggested this was a cyber-weapon designed to destroy as many systems as possible before a Ukrainian national holiday.

Malwarebytes, Cisco, and F-Secure issue reports

In the past two days, other cyber-security companies have confirmed the initial findings. For example, this is the conclusion of a Malwarebytes report published yesterday:

According to our current knowledge, the malware is intentionally corrupt in a way that the Salsa key was never meant to be restored. Nevertheless, it is still effective in making people pay ransom. [...] If you are a victim of this malware and you are thinking about paying the ransom, we warn you: Don’t do this. It is a scam and you will most probably never get your data back.

Cisco Talos also reached a similar conclusion in an update to their original NotPetya report:

Given the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated.

F-Secure also discovered and presented a few interesting wrinkles in its report. According to the company, NotPetya has three major components: (1) the user-mode component that encrypts a small subset of files and runs the other two components; (2) the MBR component that encrypts the MFT and rewrites the MBR; and (3) the network propagation component that uses WMIC, PsExec, and two NSA exploits to spread to LAN-connected computers.

The Finish antivirus maker says the only component that looked sophisticated, finished, and ready to go, was the network propagation module, meaning NotPetya's authors were more interested in making sure the ransomware reaches as many people as possible.

Similarly, just like Kaspersky, Comae, Cisco, and Malwarebytes before it, F-Secure also confirmed that "decryption of files is not possible," and also said it's becoming less and less skeptical about the possibility of NotPetya being a "nation state" attack.

NotPetya victims got the message

All these reports about the ransomware's faulty encryption seem to have reached NotPetya victims, who stopped paying ransoms two days ago.