It seems that the latest round of Malware although disguised as Ransomware is nothing more than an encrypting virus with no possibility of decryption.
In the first hours of the attack, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya.
In many variants the ransom message did not provide a unique identifier, making it impossible for the Malware author to provide decryption keys. Couple this with the fact that the contact email address provided has since been shut down and we have the situation we find ourselves in now, Crypto viruses irreversibly encrypting users data.
While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.
The researcher’s initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.
This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
Sources and further reading:
It has taken a while for Microsoft to respond but it finally looks like the software giant is building protections in to it’s upcoming creators update for Windows 10 to protect certain user folders, time will tell how effective these protections are…