{
	"id": "d59c3ca1-1764-4b52-9c5e-5cc343e22717",
	"created_at": "2026-04-06T00:08:25.850368Z",
	"updated_at": "2026-04-10T03:21:19.487027Z",
	"deleted_at": null,
	"sha1_hash": "2a2486e9a226fb4b2715d2f39e97e6febe4580a8",
	"title": "NonPetya: no evidence it was a \"smokescreen\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37497,
	"plain_text": "NonPetya: no evidence it was a \"smokescreen\"\r\nArchived: 2026-04-05 14:06:08 UTC\r\nMany well-regarded experts claim that the not-Petya ransomware wasn't \"ransomware\" at all, but a \"wiper\" whose\r\ngoal was to destroy files, without any intent at letting victims recover their files. I want to point out that there is no\r\nreal evidence of this.\r\nCertainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made\r\nseveral mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts\r\nthe boot sector.\r\nBut these things aren't evidence, they are problems. They are things needing explanation, not things that support\r\nour preferred conspiracy theory.\r\nThe simplest, Occam's Razor explanation explanation is that they were simple mistakes. Such mistakes are\r\ncommon among ransomware. We think of virus writers as professional software developers who thoroughly test\r\ntheir code. Decades of evidence show the opposite, that such software is of poor quality with shockingly bad bugs.\r\nIt's true that effectively, nPetya is a wiper. Matthieu Suiche does a great job describing one flaw that prevents it\r\nworking. @hasherezade does a great job explaining another flaw.  But best explanation isn't that this is intentional.\r\nEven if these bugs didn't exist, it'd still be a wiper if the perpetrators simply ignored the decryption requests. They\r\nneed not intentionally make the decryption fail.\r\nThus, the simpler explanation is that it's simply a bug. Ransomware authors test the bits they care about, and test\r\nless well the bits they don't. It's quite plausible to believe that just before shipping the code, they'd add a few extra\r\nfeatures, and forget to regression test the entire suite. I mean, I do that all the time with my code.\r\nSome have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn't true.\r\nWhile it's more sophisticated than WannaCry, it's about average for the current state-of-the-art for ransomware in\r\ngeneral. What people think of, such the Petya base, or using PsExec to spread throughout a Windows domain, is\r\nalready at least a year old.\r\nIndeed, the use of PsExec itself is a bit clumsy, when the code for doing the same thing is already public. It's just a\r\nfew calls to basic Windows networking APIs. A sophisticated virus would do this itself, rather than clumsily use\r\nPsExec.\r\nInfamy doesn't mean skill. People keep making the mistake that the more widespread something is in the news,\r\nthe more skill, the more of a \"conspiracy\" there must be behind it. This is not true. Virus/worm writers often do\r\nnewsworthy things by accident. Indeed, the history of worms, starting with the Morris Worm, has been things\r\nrunning out of control more than the author's expectations.\r\nWhat makes nPetya newsworthy isn't the EternalBlue exploit or the wiper feature. Instead, the creators got lucky\r\nwith MeDoc. The software is used by every major organization in the Ukraine, and at the same time, their website\r\nhttp://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html\r\nPage 1 of 2\n\nwas horribly insecure -- laughably insecure. Furthermore, it's autoupdate feature didn't check cryptographic\r\nsignatures. No hacker can plan for this level of widespread incompetence -- it's just extreme luck.\r\nThus, the effect of bumbling around is something that hit the Ukraine pretty hard, but it's not necessarily the intent\r\nof the creators. It's like how the Slammer worm hit South Korea pretty hard, or how the Witty worm hit the DoD\r\npretty hard. These things look \"targeted\", especially to the victims, but it was by pure chance (provably so, in the\r\ncase of Witty).\r\nCertainly, MeDoc was targeted. But then, targeting a single organization is the norm for ransomware. They have\r\nto do it that way, giving each target a different Bitcoin address for payment. That it then spread to the entire\r\nUkraine, and further, is the sort of thing that typically surprises worm writers.\r\nFinally, there's little reason to believe that there needs to be a \"smokescreen\". Russian hackers are targeting the\r\nUkraine all the time. Whether Russian hackers are to blame for \"ransomware\" vs. \"wiper\" makes little difference.\r\nConclusion\r\nWe know that Russian hackers are constantly targeting the Ukraine. Therefore, the theory that this was nPetya's\r\ngoal all along, to destroy Ukraines computers, is a good one.\r\nYet, there's no actual \"evidence\" of this. nPetya's issues are just as easily explained by normal software bugs. The\r\nsmokescreen isn't needed. The boot record bug isn't needed. The single email address that was shutdown isn't\r\nsignificant, since half of all ransomware uses the same technique.\r\nThe experts who disagree with me are really smart/experienced people who you should generally trust. It's just\r\nthat I can't see their evidence.\r\nUpdate: I wrote another blogpost about \"survivorship bias\", refuting the claim by many experts talking about the\r\nsophistication of the spreading feature.\r\nUpdate: comment asks \"why is there no Internet spreading code?\". The answer is \"I don't know\", but\r\nunanswerable questions aren't evidence of a conspiracy. \"What aren't there any stars in the background?\" isn't\r\nproof the moon landings are fake, such because you can't answer the question. One guess is that you never want\r\nransomware to spread that far, until you've figured out how to get payment from so many people.\r\nSource: http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html\r\nhttp://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html"
	],
	"report_names": [
		"nonpetya-no-evidence-it-was-smokescreen.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434105,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a2486e9a226fb4b2715d2f39e97e6febe4580a8.pdf",
		"text": "https://archive.orkl.eu/2a2486e9a226fb4b2715d2f39e97e6febe4580a8.txt",
		"img": "https://archive.orkl.eu/2a2486e9a226fb4b2715d2f39e97e6febe4580a8.jpg"
	}
}