The spread of the Petya and Petya variants are the top malware news headlines.
The new Petya variant has now been seems to be the culprit for the latest attacks. It has been confirmed that the email that the attackers used for bitcoin payment has already been closed and blocked as of this writing.
As per Kaspersky Lab, they have discovered an error in the malware’s code that prevents data recovery. During their data analysis, they have found out that there is no way to recover the data since the malware variant lacks an installation ID that contains the information that is necessary for key recovery. The said installation ID is present on the original Petya malware but has now been stripped of the code from the new Petya variant which makes it makes data recovery nearly impossible for decryption.
The ransomware contains a malware component similar to Shamoon that overwrites the Master File Table and Master Boot record of infected machines. It is a very clear indicator that the ransomware aspect of the attack was just a cover. This version wipes the first sectors of the disk and the goal of the wiper code is to destroy and damage and primarily looking at the angle that their intent is to make money and never return the files hijacked to its original form.
Computers who have contracted the infection are in big trouble and are likely not expected to get their data back. If all the above information is true, the newer malware might follow suit and just incorporate this malware aspect, pretend to encrypt but totally damage the data and just collect the payment.
However, there is a temporary workaround to prevent getting infected but not a permanent fix for the issue. Someone from the security community has figured out that if you create a read-only file named “perfc” and placed in the windows folder, it would not be infected and neutralize the spread of the ransomware.
The attackers might get a hold of this information and modify the code in their future releases, but for now, this is a good option for prevention. Paying the malware ransom is not an option.