Over the past week, Petya has continued to unravel, with more and more details emerging about the global cyberattack each day. At first, Petya was believed to be the next WannaCry, until experts soon determined the malware was intended for destruction rather than profit, destroying files while using a faux ransom with no ability to recover files. Since then, the cybercriminals made their first public statement and added to the confusion by offering a master decryption key for the encrypted files in exchange for 100 bitcoin or roughly $250,000 USD.
Some users may feel obligated to pay the ransom to recover what they can. There’s a large chance victims wouldn’t even get their files back if they paid, as there is no guarantee that the authors will hold up their end of the bargain. This message, which was left on the Tor-only announcement service DeepPaste, more likely is an attempt by these cybercriminals to add to the global confusion and create a smoke screen, concealing their true intentions. These offers should not be trusted.
Why is this message more likely a cover-up, rather than proof that Petya could actually be ransomware after all? First, as we outlined in previous analysis, the victim ID that existed in previous variants of Petya is missing, so it seems unlikely that malware authors themselves could recover files. There may be some partial recovery options based on what occurred on each individual system. However, any use of the system severely impacts the recovery success rate.
In some cases, you may be able to recover the master boot record with Microsoft Windows recovery tools. If the master file table was encrypted, then you may want to use file carving tools to attempt to recover some files, much like we recommended for WannaCry. File carving is not guaranteed to recover all or any files, but you may be able to reduce the impact by recovering some of your files.
Now the next question is: how do you stay secure for the next cyberattack that may come your way? It is imperative that users keep not only their security systems up-to-date, but OS and software patches as well, as Petya used known vulnerabilities already patched by Microsoft to propagate. Turning on automatic patching and upgrading older software packages will also help you keep up with security patches. For malware that use zero-day exploits, you can mitigate damage by using various off box backup tools for your important files.