# ExPetr/Petya/NotPetya is a Wiper, Not Ransomware **[securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/](https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/)** [Incidents](https://securelist.com/category/incidents/) [Incidents](https://securelist.com/category/incidents/) 28 Jun 2017 minute read ----- Authors Anton Ivanov [Orkhan Mamedov](https://securelist.com/author/orkhanmamedov/) [After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks,](https://securelist.com/schroedingers-petya/78870/) we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made. This supports the theory that this malware campaign was not designed as a ransomware [attack for financial gain. Instead, it appears it was designed as a wiper pretending to be](https://securelist.com/destructive-malware-five-wipers-in-the-spotlight/58194/) ransomware. ----- Below the technical details are presented. First, in order to decrypt victim s disk the attackers need the installation ID: In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contains crucial information for the key recovery. After sending this information to the attacker they can extract the decryption key using their private key. Here’s how this installation ID is generated in the ExPetr ransomware: This installation ID in our test case is built using the CryptGenRandom function, which is basically generating random data. ----- The following buffer contains the randomly generated data in an encoded “BASE58” format: If we compare this randomly generated data and the final installation ID shown in the first screen, they are the same. In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the **ransom screen is just plain random data.** That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID. What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive. Our friend Matt Suiche from Comae Technologies independently came to the same conclusion. ----- [Data Encryption](https://securelist.com/tag/data-encryption/) [Malware Descriptions](https://securelist.com/tag/malware-descriptions/) [Petya](https://securelist.com/tag/petya/) [Ransomware](https://securelist.com/tag/ransomware/) [Wiper](https://securelist.com/tag/wiper/) Authors Anton Ivanov [Orkhan Mamedov](https://securelist.com/author/orkhanmamedov/) ExPetr/Petya/NotPetya is a Wiper, Not Ransomware ----- Your email address will not be published. Required fields are marked * GReAT webinars 13 May 2021, 1:00pm ## GReAT Ideas. Balalaika Edition 26 Feb 2021, 12:00pm 17 Jun 2020, 1:00pm 26 Aug 2020, 2:00pm 22 Jul 2020, 2:00pm From the same authors ## Sodin ransomware exploits Windows vulnerability and processor architecture ----- ## KeyPass ransomware SynAck targeted ransomware uses the Doppelgänging technique ----- ## Mining is the new black Bad Rabbit ransomware Subscribe to our weekly e-mails ----- The hottest research right in your inbox Reports ## APT trends report Q1 2022 This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. ## Lazarus Trojanized DeFi app for delivering malware We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. ----- ## MoonBounce: the dark side of UEFI firmware At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. ## The BlueNoroff cryptocurrency hunt is still on It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----