After just little over a month since the WannCry ransomware attack, another attack is creating chaos around the world shutting down computers, power supplies and banks across India, Europe, UK, Russia, Ukraine, Spain and France and demanding $300 in bitcoins. However, unlike WannaCry, Petya ransomware has less flaws therefore does not make the same mistakes and is more difficult to control.
Petya ransomware first started circulating in 2016 and the current attack seems to be a stronger-encrypted offshoot of it. Given the refinements some researchers are calling it “NotPetya” and even “GoldenEye”. Anyway, whatever be the name, the attack has affected Merck, the US pharmaceutical company, advertising firm WPP, food company Mondelez along with several other organisations around the world including Maersk, the Danish shipping giant. Petya ransomware has also hit India’s largest container port Jawaharlal Nehru Port Trust (JNPT) – run by AP Moller-Maersk in Mumbai.
Like WannaCry, Petya also spreads through networks using Microsoft Windows. Using the EternalBlue vulnerability in Microsoft Windows and while Microsoft has released a patch, a lot of people may not have installed it just yet. Another way the software spreads is through two Windows tools, being that it is a better mechanism than WannaCry, it tries one and in case it doesn’t work it moves on to the next. Once one computer is infected, it quickly goes on to infect the entire organisation.
According to the Ukrainian Cyber Police, the attack could have been generated through a software update mechanism that was built into an accounting program that are used by companies who work with the Ukranian Government. This is what is being used as the start-point of Petya and could also explain why Unkranian banks, airports, government and other organisations including state power utilities like metro system were affected.
While there was some serious damage caused in across Europe and the US, unlike WannaCry, Petya tries to spread within the networks and not externally. That could be the reason why there is a low rate of newly affected areas.
Initially it was thought that the attack was another cybercriminal taking advantage of cyberweapons leaked online. Later it was realized that with the payment mechanism of the attack seeming too amateurish, it may not have been carried out by serious criminals. For example, most ransomware attackers create custom addresses for each of their ‘victims’ for Bitcoin payments, this attack had the same address for all the victims. Also, as part of the malware, the victims are asked to communicate with the attackers via a single email address. This email address has been suspended by the email provider once they discovered what it was being used for. Thus, even if someone does pay the ransom, there is no way to contact or communicate with the attacker/s for the decryption key to regain locked files.
It is still unclear who is behind the Petya attack and responsible for it. Experts suggest that the malware is only supposed to ‘look’ like a ransomware but it is just a destructive malware aimed at the Ukranian government. Other experts argue that Petya is a ‘test’ disguised as a ransomware. Pseudonymous security researcher Grugq said, “Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline,” and that this version of the ransomware is “definitely not designed to make money.”
Nevertheless, once the ransomware infects a computer, it waits for about an hour before it reboots the system. According to a post by HackerFantastic on Twitter, switching the computer off while it is rebooting prevents the files from being encrypted and you could try rescuing the files from the machine.
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6
— Hacker Fantastic (@hackerfantastic) June 27, 2017
If the system does manage to reboot and you see the message with the ransom note, don’t try to pay the ransom. The email address mentioned has been shut down, as stated earlier, so there is no way of actually getting the decryption key to unlock your files anyhow. Disconnect your PC from the internet before you re-format your hard-drive and reinstall the files from a backup.
Supposedly, a kill-switch has been discovered for the Petya ransomware by UK-based cyber security company PT Security and Amit Serper from Cybereason. The tweet has advised users to create a file – C:\Windows\perfc – to prevent the ransomware infection.
— PT Security (@PTsecurity_UK) June 27, 2017
— Amit Serper (@0xAmit) June 27, 2017
According to TheHackerNews, for prevention purposes you should always be wary of suspicious or unwanted files or documents sent via emails and never click on links that they may contain unless it is a verified source. In addition, always maintain a routined back-up system on an external device that is not always connected to your PC. Very importantly, you should run a good, effective anti-virus security suite on your system that is updated and most importantly, when browsing the internet – do so safely.