Petya

Understand more about this new ransomware and what you should do. 

By: Steve Snelgrove
Security Analyst
CISSP
A new ransomware is taking the world by storm. This ransomware is a new variant of the Petya ransomware, and is much more sophisticated than its predecessor.

This ransomware has a few improvements on the WannaCry ransomware, mainly that it has new capabilities that allow it to infect even up-to-date Windows systems running the latest security updates and latest software patches.

SEE ALSO: WannaCrypt Ransomware Attacks: What You Should Do


Here are a few things you should know about the Petya ransomware outbreak.

How does Petya work? 

Petya
Petya infects computers and waits for about an hour before rebooting the machine. Once the reboot is complete, it will encrypt the entire hard disk, and all system files, including the Master Boot Record. It then demands a $300 payment in bitcoin.

Once on a machine, Petya collects login credentials stored on a computer to gain access to other systems. It then uses PSExec, a Microsoft remote access tool, which allows the user to remotely access an application. The malware then tries to infect other machines through this tool.

Where has it spread? 

Since Tuesday, June 27, Petya has infected over 12,500 machines in 65 countries. It first struck in Ukraine and has spread across Europe, Asia, and North America.

How does Petya spread? 

Petya originally appeared in the Ukraine. Organizations in Ukraine were infected after downloading a malicious update for the accounting and invoice software MeDoc. Multiple security firms have also seen the malware spread through phishing emails with malicious attachments pretending to be resumes or delivery notices.

Like WannaCry, Petya uses an “EternalBlue” software exploit for Windows, an exploit developed by the US National Security Agency that was subsequently stolen and leaked by the Shadow Brokers. Unlike WannaCry, Petya does not rely on computers vulnerable to EternalBlue to spread.

What makes this ransomware dangerous is that it not only uses exploits, but also legitimate tools to spread. This type of method can be very difficult to detect since it uses legitimate credentials to access other systems.

Fortunately, unlike WannaCry, this version of Petya does spread internally, but doesn’t seed itself externally, which slows the rate of new infections.

What are the hackers’ motivations?

Petya ransomwareWhat’s concerning is that unlike other ransomware, Petya seems to be more damaging to the computers it encrypts. Researchers suspect that financial gain was not its creator’s goal, and widespread damage seems more likely. The malware’s developers didn’t design a robust system to pay the ransom, and the techniques used to encrypt the systems are far more damaging.

Petya was likely engineered to infect and damage a mass number of systems. It could also mean that Petya is simply a distraction while the attackers are working on something else.

Security experts recommend that organizations infected do not pay the ransom, as it is unlikely they will see their files decrypted.

What should organizations do? 

Many anti-virus companies claim now that their software has updates to actively deflect and protect against Petya infections.

One thing to do is to make sure your Windows systems are updated to include the patch for the EternalBlue exploit. Doing so removes at least one avenue the Petya ransomware can use.

If your computer is infected, switch the computer off while its rebooting to prevent the files from being encrypted. You can then try to rescue the files from the machine. If your files are encrypted, disconnect your computer from the internet to prevent the malware from spreading.

For some preventative measures, back up your files regularly and keep your anti-virus software up to date.

Need help with data security? Talk to one of our consultants! 

Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.