Where did it start?
The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian cyber police. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities and Kiev’s airport and metro system. The radiation monitoring system at Chernobyl was also taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone. A second wave of infections was spawned by a phishing campaign featuring malware-laden attachments.
What is ransomware?
Ransomware is a type of malware that blocks access to a computer or its data and demands money to release it.
How does it work?
When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims don’t have a recent back-up of the files they must either pay the ransom or face losing all of their files.
An ASCII image of a skull and crossbones is displayed as part of the payload on the original version of Petya.
Classification Trojan horse
Operating system(s) affected Windows
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system.
Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants due to these differences in operation. In addition, although it purports to be ransomware, this variant was modified so that it is unable to actually revert its own changes.
Petya was first discovered in March 2016; Check Point noted that while it had achieved fewer infections than other ransomware active in early 2016, such as CryptoWall, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution”. Another variant of Petya discovered in May 2016 contained a secondary payload used if the malware cannot achieve administrator-level access.
How does it differ from WannaCry?
Security experts said the program could have spread in a similar way to the WannaCry attack that hit hundreds of thousands of computers including the NHS earlier this year. Like WannaCry, Petya could have used Eternal Blue, a tool created by the National Security Agency and leaked online by the Shadow Brokers that exploits a problem in Microsoft’s software.
Cyber attack: ransomware explained
Should I be worried?
Computers running the most recent update of Microsoft’s software should be safe from the attack. Users are advised to check they have installed the latest version of Windows and refrain from clicking on malicious links.
What should you do if you are affected by the ransomware?
The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, as flagged by @HackerFantastic on Twitter.
If the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway. Disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup. Back up your files regularly and keep your anti-virus software up to date.
Is there any protection?
Most major antivirus companies now claim that their software has updated to actively detect and protect against “Petya” infections: Symantec products using definitions version 20170627.009 should, for instance, and Kaspersky also says its security software is now capable of spotting the malware. Additionally, keeping Windows up to date – at the very least through installing March’s critical patch defending against the EternalBlue vulnerability – stops one major avenue of infection, and will also protect against future attacks with different payloads.
For this particular malware outbreak, another line of defence has been discovered: “Petya” checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won’t run the encryption side of the software. But this “vaccine” doesn’t actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network.
So is this just another opportunistic cybercriminal?
It initially looked like the outbreak was just another cybercriminal taking advantage of cyberweapons leaked online. However, security experts say that the payment mechanism of the attack seems too amateurish to have been carried out by serious criminals. Firstly, the ransom note includes the same Bitcoin payment address for every victim – most ransomware creates a custom address for every victim. Secondly, the malware asks victims to communicate with the attackers via a single email address which has been suspended by the email provider after they discovered what it was being used for. This means that even if someone pays the ransom, they have no way to communicate with the attacker to request the decryption key to unlock their files.
Who is behind the attack?
It is not clear, but it seems likely it is someone who wants the malware to masquerade as ransomware, while actually just being destructive, particularly to the Ukrainian government. Security researcher Nicholas Weaver told cybersecurity blog Krebs on Security that ‘Petya’ was a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware”. Pseudonymous security researcher Grugq noted that the real Petya “was a criminal enterprise for making money,” but that the new version “is definitely not designed to make money.
“This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware,’” he added, pointing out that, among other tells, the payment mechanism in the malware was inept to the point of uselessness: a single hardcoded payment address, meaning the money can be traced; the requirement to email proof of payment to a webmail provider, meaning that the email address can be – and was – disabled; and the requirement to send an infected machine’s 60-character, case sensitive “personal identification key” from a computer which can’t even copy-and-paste, all combine to mean that “this payment pipeline was possibly the worst of all options (sort of ‘send a personal cheque to: Petya Payments, PO Box … ’)”.
Ukraine has blamed Russia for previous cyber-attacks, including one on its power grid at the end of 2015 that left part of western Ukraine temporarily without electricity. Russia has denied carrying out cyber-attacks on Ukraine.
Petya’s ransom note displayed on a compromised system.
During the attack initiated on 27 June 2017, the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks and metro systems were also affected.
Among those affected elsewhere included British advertising company WPP, Maersk Line, American pharmaceutical company Merck & Co., Russian oil company Rosneft (its oil production was unaffected), multinational law firm DLA Piper, French construction company Saint-Gobain and its retail and subsidiary outlets in Estonia, Spanish food company Mondelez, and American hospital operator Heritage Valley Health System. The Cadbury’s Chocolate Factory in Hobart, Tasmania, is the first company in Australia to be affected by Petya. On 28 June 2017, JNPT, India’s largest container port had reportedly been affected, with all operations coming to a standstill.
Jens Stoltenberg, NATO Secretary-General, pressed the alliance to strengthen its cyber defenses, saying that a cyberattack could trigger the Article 5 principle of collective defense.
Europol said it was aware and is “urgently responding” to reports of a cyberattack in member states of the European Union. In the United States, the Department of Homeland Security is involved and coordinating with its international and local partners. In a letter to the NSA, Democratic Congressman Ted Lieu asks the agency to collaborate more actively with technology companies to notify them of software vulnerabilities and help them prevent future attacks based on malware created by the NSA.
Sources: guardian, telegraph, wikipedia,google.