After the WannaCry Ransomware attacks that struck the UK and 100 other countries, a new wave of cyber attacks is quickly spreading like wildfire around the world. This time, the malware is called Petya or NotPetya and it’s considered to be more lethal than the WannaCry ransomware.
It’s been around since 2016 but only proliferated in the last few days affecting large businesses in Russia, Ukraine, Poland, and Western Europe during its outbreak yesterday (June 27, 2017).
Petya has particularly disabled various sectors in Ukraine including the central bank, Kiev’s airport, the metro network, a state-run aircraft manufacturer, and government departments. Putting Ukraine at the center of this global cyber attack.
— The Bankova (@TheBankova) June 27, 2017
What is Petya?
The ransomware has been around since 2016. It spreads itself in a Windows system by exploiting the MS17-010 vulnerability or more commonly known as EternalBlue – also used in WannaCry. Other tools such as EternalRomance can also be used to exploit vulnerabilities in a system. If a single system, possessing administrative attributes, has been infected then it can propagate the infection to every other computer in the network through WMI or PSEXEC.
Once Petya has penetrated a system, it waits for 10 to 60 minutes for it to reboot. As the system reboots, the malware begins to encrypt files and overwrites the master boot record (MBR) with a modified loader displaying a ransom note. The hackers promise that encrypted files can be recovered if victims would pay the ransom of $300 in Bitcoins. They provided an email address where victims could send their wallet numbers. However, this email account has now been disabled, which means those who have been recently inflicted with the malware can no longer retrieve their encrypted files. The bitcoin wallet that is linked to the cyber attack was reported to have received a number of payments and has three bitcoins in it or £5,640 ($7,240).
[Image Source: Symantec]
The German email provider Posteo was quick in responding to the malware attack. “We became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away”. Posteo has confirmed the following conditions as of midday, 27th of June 2017. The blackmailers could no longer access the email account to send emails. And sending emails to the account is no longer possible either.
So, what is the “NotPetya” nickname all about? Kaspersky Lab reported that the malware creeping across organizations around the world is not a variant of Petya. Instead, it is a novel ransomware and they have decided to call it NotPetya.
— Kaspersky Lab (@kaspersky) June 27, 2017
How Petya is more lethal than WannaCry
This ransomware does more than just encrypting files. It also overwrites and encrypts the MBR, which is a major part of a computer’s startup system. The MBR holds information about the hard disk used to load the operating system. If the malware manages to penetrate the MBR, it will encrypt the whole drive itself or encrypt all the files.
Moreover, the ransomware also searches for passwords on the affected computer and tries to extract login credentials of logged on users from memory or from the local file system. By abusing PSEXEC, Petya can propagate through a whole network by targeting an administrator’s PC. Once the main system has been breached the other computers under the host computer can be penetrated too.
ESET’s researcher Robert Lipovsky explained how the vast proliferation of Petya was possible.
“This powerful combination is likely the reason why the outbreak is spreading quickly, even after previous outbreaks have generated headlines and most vulnerabilities should have been patched. It only takes one unpatched computer to get inside the network. From there, the malware can take over administrator rights and spread to other computers”.
Petya is also more notorious as it penetrates patched Windows PCs, even those with Windows 10. On the other hand, WannaCry was largely breaching through older systems.
Who is affected?
One of the giants in the oil and gas industry, Rosneft, has reported that their system was affected by the Petya cyber attack. But it has immediately resorted to the company’s reserve control system, which allowed them to continue their daily operation. Rosneft is the world’s largest publicly traded petroleum company which is run and owned by the Russian government. The energy company has sought the help of Russia’s security services to investigate the cyber attack that broke out on the afternoon of June 27, 2017.
“Rosneft and its subsidiaries are operating on a regular basis. Those who spread fake and panic messages will be brought to responsibility together with those who are behind the hacker attack”, said Rosneft’s spokesman Mikhail Leontyev.
The cyber attack could lead to serious consequences, however, due to the fact that the Company has switched to a reserve control system…
— Rosneft (@RosneftEN) June 27, 2017
…neither oil production nor preparation processes were stopped.
— Rosneft (@RosneftEN) June 27, 2017
After being one of the badly hit countries during the WannaCry ransomware, the UK was not spared in this current worldwide Petya cyber attack. British marketing and advertising agency, WPP, came forward and said that their IT systems have been affected by Petya.
IT systems in several WPP companies have been affected by a suspected cyber attack. We are taking appropriate measures & will update asap.
— WPP (@WPP) June 27, 2017
Danish global transport and logistics company, Maersk, declared that IT systems across several of their sites and business units have been disabled.
UPDATE 23:00 CEST pic.twitter.com/ITmwGIHD6e
— Maersk (@Maersk) June 27, 2017
The world’s most notorious nuclear site in Ukraine’s Chernobyl was also inflicted by the ransomware, which managed to paralyze the power plant’s website. As a result, the radiation monitoring system of Chernobyl was taken offline after the cyber attack. This meant that employees had to measure radiation levels using hand-held devices.
The State Agency for Management of Chernobyl’s Execution Zone said in a press release:
“In connection with the cyber-attack, the site of the Chernobyl nuclear power plant is not working. All technical systems at the station are operating normally. But due to the temporary disconnection of Windows systems, radiation monitoring of the industrial site is being carried out manually“.
How to protect yourself from this ongoing cyber attack?
Make sure that you are using a reliable antimalware software that is up to date. You can also protect your PC by installing all the current Windows updates and patches. Avoid clicking on links and opening up attachments that came from untrusted or unknown senders.
According to ESET, rebooting your system may be detrimental and it’s better to just completely shut down your computer.
“Shutting down the computer and not booting again could prevent the disk encryption, though several files can be already encrypted after the MBR is replaced and further infection through the network is attempted”.