Petya or NotPetya, this is the world’s latest ransomware attack

petya ransomware symantec

Ransomware is yet again sweeping across the world’s computers today, and no, it’s not WannaCry.

It goes by a few names, but it’s being commonly referred to as Petya or NotPetya by security experts. While the former was first discovered in 2016, the latter name refers to a newer strain of the ransomware.

Yesterday, Petya or a derivative, reappeared in Ukraine and has since spread to countries as far east as Australia, and as far West as the US.

While details about the nature of the attack and the attackers’ intentions are unclear at present, we do know a few key factors regarding the ransomware itself.

What is Petya/NotPetya?

Firstly, we should probably explain ransomware in more detail.

Ransomware is a version of malware that doesn’t just infect your device, but locks you out of it entirely and demands a ransom for regained access. The current malware sweeping across the world is ransomware named Petya.

Petya was first discovered in March 2016, distributed in emails disguised as job applications. Trend Micro explains the method below:

Victims would receive an email tailored to look and read like a business-related missive from an “applicant” seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s curriculum vitae (CV)

On 27 June 2017, Petya reemerged, only this time with a new plan of attack, and new methods of infection.

How does it work?

Unlike other ransomware that usually encrypts users’ systems and demands a ransom, Petya goes one step further.

According to Kaspersky, the malware “waits for 10-60 minutes after the infection to reboot the system”. Once it reboots the computer, it then encrypts the computer’s primary drive.

It also attacks, overwrites and encrypts machines’ Master Boot Record, or the MBR. The MBR is a critical point in any operating system and can be thought of as its starter motor. It’s always located on the first sector of the hard drive and accessed during the device’s boot sequence.

“When a computer starts and the BIOS boots the machine, it will always look at this first sector for instructions and information on how to proceed with the boot process and load the operating system,” explains a great piece on DEW Assoc’s knowledge base.

Why is this bad?

For one, once its own MBR is installed, Petya can practically load its own wares, bypassing any security measures that might be installed to your machine. It also prevents users starting in Safe Mode.

How does it spread?

While Trend Micro previously mentioned email was a common infection vector for Petya in 2016, in 2017 it has taken to a few new methods.

Petya can now spread using the SMB networking protocol, similarly to WannaCry.

During the WannaCry outbreak, we noted that the EternalBlue exploit was a key factor, and it’s similarly so for Petya according to Microsoft and Symantec.

“The new ransomware can also spread using an exploit for previously patched SMB vulnerability CVE-2017-0144 (also known as EternalBlue), which was also exploited by WannaCrypt to spread to out-of-date machines. In addition, Petya also uses a second exploit for CVE-2017-0145 (also known as EternalRomance and still fixed by the same bulletin),” explains Microsoft’s TechNet blog.

For those worried: if you’ve installed the updates issued on 14 March 2017, you should be protected from this infection route.

Microsoft has also noted that Petya can spread laterally across networks “like a worm” using credential theft.

The ransomware plants a credential mole in Windows’ temp folder, hoping to sniff out details of an administrator-level account.

“Because users frequently log in using accounts with local admin privileges and have active sessions open across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines. Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445,” Microsoft Technet continues.

If it finds one of the two ports to be open, it’ll attempt to copy itself across network shares. If not, it’ll begin screwing up the owner of the host computer’s day.

Who can be infected?

Machines running Windows XP, Windows Vista, Windows 7, Windows 8 and 8.1 and Windows 10 are vulnerable.

Who has been infected thus far?

A slew of institutions and companies in Ukraine have been affected, including Chernobyl’s radiation monitoring services. Yes, that Chernobyl.

The Ukraine government’s ever-entertaining Twitter account told citizens not to panic using a rather apt GIF too.

Other companies across the world are also affected, including Danish shipping company Maersk.

British advertising and PR conglomerate WPP tweeted that “several WPP companies have been affected by a suspected cyber attack”.

French construction company Saint-Gobain posted this eloquent tweet Wednesday.

India’s largest shipping port JNPT outside Mumbai, was also affected, including Tasmania’s Cadbury’s chocolate factory.

Microsoft found infected machines running in 65 countries thus far, including Ukraine (patient zero), the United States, Russia, India, Brazil and Australia. This list seemingly continues to grow.

What do the attackers want?

Money in the form of Bitcoin. US$300 worth, that is.

Considering the ransom’s price in 2016 — 0.99 BTC or US$431 back then — the current asking price is fairly generous.

That said, there’s never a guarantee that issuing payment to unlock your device and files will in fact lead to a device that’s unlocked and accessible.

How can I protect myself?

Before protection, you should back up your current device’s files to an external source — either a flash drive or hard disk. If you have a network, ensure that all devices are patched with the latest Windows updates.

You might also want to disable SMB v1. Instructions on how to do just that can be found here.

Additionally, a number of security companies suggest that their products are actively blocking the infection, including Trend Micro, Symantec, and Kaspersky. Microsoft also announced that Windows Defender — baked into Windows 10 itself — has also been updated to spot the ransomware.

Ultimately though, the only way to guarantee that you won’t be affected is by unplugging from the internet entirely.

Feature image: Symantec

Andy Walker, former editor


Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.