After last month’s WannaCry outbreak, a new strain of ransomware yesterday spread like wildfire across parts of Europe and as far as Britain, The United States, Australia and India.
Though most are calling it “Petya” (a malware that has been around since 2016) due to arguments over its core code experts are also referring to this strain as “NotPetya”, “PetryaWrap” and “GoldenEye”.
The trouble is, while WannaCry seemed to be an unfinished, rushed piece of North Korean malware containing many design flaws, Petya doesn’t make the same mistakes and could be after bigger data sets like enterprise backups because it moves and infects so well within subnets.
WHERE DID IT BEGIN?
The outbreak seems to have begun in The Ukraine, with the country’s government, top energy companies and Kiev’s metro system all reporting hits on their systems.
In scenes not seen in years in the former Eastern Block country, ATMs had no money, gas stations served no petrol and supermarket tills were not operating. A decade ago, this would have caused a Kaiser Chiefs-like riot but nowadays, the official Ukrainian Government Twitter account tweeted this:
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue ? pic.twitter.com/RsDnwZD5Oj
— Ukraine / Україна (@Ukraine) June 27, 2017
At least there’s no prone-to-meltdown nuclear power plant in Ukraine. Oh, there is?
Fact-checkers Snopes reports that “The radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone.”
WHO ELSE HAS BEEN HIT?
After infecting two of Russia’s oil-giants, Rosneft and Bashneft and fellow steelmaker Evraz, the malware spread to Danish cargo-shipping giant Maersk and port operators in The Netherlands and India.
German Deutsche Post reported difficulties in the Ukraine while French construction materials company Saint Gobain, Britain’s WPP (the largest PR agency in the world) and the Australian branch of English chocolate manufacturer Cadbury’s followed.
Hours later, in the United States, pharma-giant Merck & Co. and Oreo cookie maker (and Cadbury’s American partner) Mondelez both reported cyber attacks along with global legal firm DLA Piper.
HOW DOES PETYA WORK?
Petya’s creators are demanding $300 in Bitcoin. So far, it seems it is only targeting Windows systems and not Macs right now by using EternalBlue (the same stolen NSA exploit WannaCry used) to attack the Windows Server Message Block (SMB) service.
Once inside a network, Petya also attempts to spread internally by running credential-stealing code to break user account and admin passwords to infect other PCs on the network to deploy ransomware across up to 255 other computers on one LAN, rather than the internet.
Then, to make matters worse, Petya can also spread by infecting network shares on other computers by utilising PsExec from Microsoft’s SysInternals suite and Windows Management Instrumentation.
WHAT MAKES PETYA WORSE THAN WANNACRY?
As a UX experience, Petya seems to being going backwards! How about some lovely skull graphics?
Whilst this outbreak seems to be far more targeted (2,000 compared to 200,000), what makes Petya doubly dangerous is one major difference that could mean we’re in for a longer ride than last month’s short-lived outbreak.
Remember how WannaCry was stopped? Young, surf, pizza and Pokemon-loving 22-year-old Marcus Hutchins aka MalwareTech was the hero who happened upon its kill switch. The hackers included this feature to help the ransomware avoid analysis but, in an act of brilliant poetic justice, the kill switch became WannaCry’s downfall.
Well, at the time of writing, Petya doesn’t look like it contains any such kill switch feature, meaning it could be ransomware without an Achilles Heel.
As always, there are conflicting reports with Wired Magazine stating Petya could be here to stay, while Kryptos research say that Petya is “dead, but still dancing.”
WHO’S TO BLAME?
The early word on the street is that the attack appears to have begun in The Ukraine because the ransomware exploits vulnerabilities in an accounting program that companies working with the Ukrainian government need to use from a company called MEDoc.
MEDoc, the company was hacked then pushed out the malware via its software updates.
The Ukrainian company issued conflicting press statements, first posting a message in Ukrainian which (according to Google Translate) jovially stated “Our server made a virus attack. We apologize for the inconvenience!” before later denying it was the source of the infection.
WHAT IF YOU GET INFECTED?
Without getting infected ourselves, we can’t verify, but a Boston based researcher at Cybereason, Amit Serper seems to have found a kill switch that stops Petya from running.
— Amit Serper (@0xAmit) June 27, 2017