The New Petya Ransomware Does Not Decrypt Victims’ Files Even After the Ransom is Paid


A brand new version of Petya ransomware is hitting computers all over the world. The latest variant of the virus is named NotPetya ransomware and it has infected thousands of systems during the past two days.

According to the separate reports of Kaspersky Lab and Comae Technologies, despite acting like a ransomware, NotPetya is more of a disk wiper developed to damage computers.

After analyzing the malware’s source code deeper, the security experts reported that the infection acts like a ransomware, but it is not capable of decrypting the victims’ files, even if they had paid the ransom.

The analysis also show that there is no connection between victims not getting their files back and the blocked email address of the hackers. No matter if victims have tried to get in touch with the attackers after paying the ransom, their files would still remain decrypted.

The tools of ransomware generate a unique installation ID for each infected computer in order to store information and the decryption key for its recovery. However, when talking about NotPetya, the installation ID is invalid as it’s generated from random data, which makes the decryption process impossible.

“What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive,” Kaspersky Lab stated.

Matt Suiche from Comae Technologies made the same conclusion as Kapersky Lab, however, he based it on a different flaw. According to Suiche’s report, it’s impossible to recover the original Master File Table (MFT) encrypted by NotPetya. MFT is a database which handles the files’ location on a hard drive.

When comparing the new Petya 2017 with its 2016 version, Suiche found out that the latest strain of Petya, which affected many Ukrainian organizations, was a wiper which trashed the 25 first sector blocks of the infected disks.

“2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk,” Suiche stated.

According to the analysis, NotPetya is a cyber weapon created to destroy and damage computers, and it’s not a ransomware with a motive to gain profit. The wipers emilinate all possibilities of restoration, while ransomware can restore their modification, Suiche explained.

Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.