Petya cyber attack that swept globally, and has infected enterprise networks across Europe is actually much worse than initially thought. Security researchers have now come to the conclusion that the Petya attack is not a ransomware, but a wiper instead.
The haze of massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, Airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.
When people say Petya, they usually mean 3 things:
- The boot loader that encrypts the MFT.
- The dropper that installs the boot loader.
- The normal user mode ransomware, which is also known as Misha.
Difference Between Wannacry and Petya
The important difference between WannaCry and Petya is WannaCry was likely deployed onto a small number of computers and then spread rapidly, whereas Petya seem to have been deployed onto a large number of computers and spread via local network; therefore, in this instance there is low risk of new infections more than 1h after the attack (the malware shuts down the computer to encrypt it 1h after execution, by which time it will already have completed its local network scan).
As well as the use of EternalBlue, Petya can also propagate over the network using WMIC (Windows Management Instrumentation Commandline) by trying credentials gathered from the local machine using Mimikatz, this allows it to infect network systems which are patched against EternalBlue or not running SMB.
Additionally, It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack.
Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.
Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running. Administrators can also shore up their defenses by using Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges.
“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”
All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.
Source - 1 - http://indianexpress.com/article/technology/tech-news-technology/petya-cyberattack-this-is-a-wiper-not-ransomware-and-much-much-worse-4727038/
Source - 2 - https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia
Source - 3 - https://www.wired.com/story/petya-ransomware-wannacry-mistakes/
Omg
I just hate ransomware
Glad you posted this to aware everyone here
Thank You for sharing
I know a tool can be used by someone for good or evil, but this usage of cryptocurrencies to pay for unlocking files or some similar extortion worries me.
We really don't need some burdensome regulation coming down the pike just because law makers are afraid of the damage these attempts cause.
There are so very few in government that really understand technology, so I'm wary that there will be a new push to either weaken the underlying crypto, or attack cryptocurrencies directly.
And the irony is that these kinds of attacks don't even yield that much.
https://www.bleepingcomputer.com/news/security/south-korean-web-hosting-provider-pays-1-million-in-ransomware-demand/
If you don't keep backups and your entire business goes down, then it pays very well indeed. Strong crypto and poor infrastructure are the culprit here. Cryptocurrencies just allow for anonymous(ish) movements of money