It is said that, "those who do not learn history are doomed to repeat it". In May 2017, the WannaCry ransomware virus spread quickly around the world infecting thousands of computers and locking owners out of their files. Prior to this, Microsoft patched the EternalBlue vulnerability in March, before the May outbreak of WannaCry took place. Despite the extensive damage the WannaCry outbreak caused, organizations did not take heed to security experts warnings to apply security patches to their Microsoft Windows-based computer systems. It was warned that it was only a matter of time before the next digital attack would fall upon us.
And that brings us to our current status where beginning yesterday morning, Tuesday June 18th, Petya ransomware malware started spreading across Europe.
UPDATE #1: While initial analysis identified this attack as a variant of ‘Petya’, its behavior patterns indicate that it is in fact a new strain reminiscent of the ‘Wannacry’ ransomware attack. It has therefore recently been been dubbed ‘NotPetya’ or ‘Petna’.
UPDATE #2: We have identified several unique hashes, these are listed below and in the link above.
- MD5: 041dbafc528760bdfbbf06579a68c76e
- SHA1: a21340dd76a80b3bd4b126ee31b07f25ae2cafc4
- SHA256: 3b099d4807034ea4701d9bef7a822cf605225de1cfdceae92940fbf3438c5f0a
What is Petya?
It is a type of ransomware which works differently from other malware. The difference is that instead of encrypting the files one by one, it reboots the computer and encrypts the Master Boot File. This file contains the disk mapping, operating system files, names, size and location across the hard disk. Once the file is opened, it spreads itself over the network to additional computers if there is a Microsoft vulnerability on those computers. Once the ransomware encrypts important documents and files on the infected computers, it then demands a Bitcoin ransom key to unlock the files.
WannaCry Similarities to Petya
Petya ransomware utilizes the SMBv1 EternalBlue exploit, operating in the same manner as WannaCry . This exploit takes advantage of unpatched Windows machines. At least one of the tools used by the WannaCry ransomware was used with Petya, making it so successful and affecting nearly 300,000 computers worldwide within only a day.
As we stated above, Microsoft has patched vulnerabilities for all versions of Windows operating systems, but many users are still vulnerable and various malware variants are exploiting the flaw in order to deliver ransomware with cryptocurrency mining.
Those Who Fell Prey To Petya
The Petya cyber attack has spread across Europe with firms in Ukraine, Britain and Spain forced to shut down. And the stories have been hitting Twitter like a storm. Here are a few examples:
- In the Ukraine, various banks as well as the Chernobyl nuclear power plant, which had to switch to manual radiation monitoring. The National Bank of Ukraine claimed that they are dealing with an unknown virus and that several of their banks were affected as well as financial institutions. “As a result of cyber attacks, these banks have difficulties with customer service and banking operations,” a statement said.
As for Kyiv's energy generating company, Kyivenergo was attacked and had to shut down all their computers.
- DLA Piper, a global law firm confirmed that their offices in the UK, Europe, Middle East and the US were instructed to turn off their computers as a precautionary measure. Those from within the firm have stated that email and phone systems have been affected with many systems also locked down.
- The Chernobyl nuclear power plant was monitoring their radiation levels manually after having to shut down their Windows system that their sensors were using.
How Can You Protect Yourself?
Here is a list of simple steps your organization can take in order to protect yourself:
- Apply patches against EternalBlue (MS17-010) and disable the unsecured SMBv1 file-sharing protocol on your Windows systems and servers.
- Block emails from wowsmith123456 [at] posteo.net (.exe files)
- Update anti-virus on all systems.
- Close off inbound TCP ports (135, 445, 1024-1035).
- Prevent running .exe files within %AppData%.
- If the virus is detected, the computer should not be turned off (cmd / k shutdown-a) and the format should not be taken.
- On a non-infected machine, create a file called perfc in the C:\Windows folder and make it read only to prevent the encryption routine running in case of infection.
- Intercept reboot post-infection to prevent encryption (shutdown and employ file recovery techniques to extract critical data before restoring to a known good backup).
The Bottom Line
According to security experts, Petya, as well as other ransomware strains are going to continue to thrive until companies take action and patch their computer systems. Failing to do so will just prolong this attack as well as future attacks.