Paying Off ‘Petya-Variant’ Ransomware Won’t Unlock Your Files

Even if you pay off the new globally spreading ransomware, you won't pull the plug on the malicious software. There's no way for the hackers to communicate with victims who find their files locked up. Early Tuesday morning, the email address listed in the ransomware was blocked.

But that doesn't mean the computer worm will stop spreading. And it also means there's no way way for the cybercriminals to send unlocking codes to people who pay the $300 bitcoin ransom — assuming they ever intended to live up to their part of the bargain, according to security researchers.

"If Posteo killed the address, people paying and then emailing them to retrieve decryption assistance will not receive it," said Paul Burbage, a malware researcher for Flashpoint Intelligence.

Despite this, the electronic currency wallet listed in the red-text-on-black-screen ransomware notice continued to receive funds Tuesday afternoon. As of 6 p.m. ET, the wallet's value was up to nearly $8,000.

Initial reports indicate the new infection hasn't spread as much as WannaCry, but it did reach a large number of organizations. Kaspersky Lab's analysts report 2,000 infections so far. Any computers that hadn't been updated to patched for Wannacry based on the National Security Agency's leaked "EternalBlue" exploit could be susceptible. The security firm Symantec said it had confirmed the new malware used the EternalBlue flaw.

Researchers say all companies should update and patch their Windows software immediately, ensure that they backup and have installed ransomware detection.

If you know your computer is infected, don't restart your computer or pay the ransom, said Ryan Kalember, senior vice president of cybersecurity for Proofpoint. If your computer has already restarted, the best option is to restore it from a backup, he said.

Several security researchers said they believe the current ransomware attack is using malicious software, or malware, based not on "Wannacry" but one another one called "Petya," the Russian word for "Peter." However Kaspersky Labs says it may be an entirely new piece of software.

And if it is indeed a Petya variant, it would attack via by spam emails with infected documents attached, as well as through neighboring infected computers, researchers said. The code would then target the master boot record of a drive, going on to create its own "miniature operating system" and encrypt the rest of the files.

While WannaCry targeted only the files, Petya encrypts the "master file table." That's sort of like locking the card catalog of the hard drive. If you can't open the card catalog, you can't find where your books are.

Cybersecurity experts say all it takes is for one person to open a malicious document to take down an entire computer network.

Source: NBC