Here’s how this installation ID is generated in the ExPetr ransomware: After sending this information to the attacker they can extract the decryption key using their private key. In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contains crucial information for the key recovery. First, in order to decrypt victim’s disk the attackers need the installation ID: Instead, it appears it was designed as a wiper pretending to be ransomware.īelow the technical details are presented. This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Kaspersky Advanced Cyber Incident CommunicationsĪfter an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.KasperskyEndpoint Detection and Response.KasperskyPhysical, Virtual & Cloud Workloads Security.
KasperskyEndpoint Security for Business Advanced.KasperskyEndpoint Security for Business Select.Kaspersky Internet Security for Android.
0 kommentar(er)
