Petya - A Global Threat
On 27 June 2017, Microsoft found reports of a ransomware infection spreading across Europe. The first infection started in Ukraine, where more than 12,500 machines encountered the threat. The ransomware subsequently went on to spread to 64 other countries, including Belgium, Brazil, Germany, Russia, and the United States.
What is Petya & How does it Spread?
Petya is a family of encrypting ransomware, first discovered in 2006. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload, ultimately encrypting the files on these systems. The ransomware then demands a payment from the victims in Bitcoins to re-gain access to their files.
One of the primary vectors for the Petya infection was MeDoc, a financial software firm based in the Ukraine. A particular software update feature was hacked and the attackers used it to distribute Petya. Once a single machine is infected, Petya spreads peer-to-peer to other Windows-based endpoints and servers that are vulnerable to MS17-010. It also can spread via PsExec to admin shares, even on patched machines.
Experts believe that this new variant of Petya, better known as Petwrap / NotPetya / Pentya 2017, is a wiper disguised as ransomware. Based on the meager payout of $10000 collected so far, it seems that the attackers’ intentions were different from monetary goals. This draws further concern as this brings about the question – was the attackers’ aim to cause targeted harm to Ukraine as a country?
WannaCry 2.0? – Not Quite.
Like a worm, Petya infects networks by moving from computer to computer. The ransomware accomplishes this with the help of a hacking tool known as EternalBlue, which takes advantage of vulnerabilities in Microsoft Windows. This seems to be similar to WannaCry, the recent major ransomware attack just before Petya. However, there are a few new yet alarming characteristics about Petya:
- Does not have a remote kill switch like WannaCry
- Far more sophisticated given the variety of automated ways to spread
- Renders machines useless and encrypts entire hard drives instead of just specific files
- Aside EternalBlue, infects other Windows via other methods e.g. seizing user credentials
- Main mode of infection through company networks rather than via the Internet
With such vast differences from WannaCry, Petya requires its own careful consideration when formulating an appropriate defense strategy. Petya has the potential to deal massive damage; evident by the huge impact on critical infrastructure in the Ukraine. The consequences of such rapid spread of infections can have a negative effect on daily business and personal activities. Defending yourself is crucial - Perform these actions to limit the chances of infection:
- Apply Windows update MS17010
- Disable the outdated protocol SMBv1
- Limit the privileges of local ‘administrators’
- Make backups and verify files that can be restored
Doing your part to defend yourself against Petya is essential. However, can you defend yourself against the future cyber threats that are sure to come?
Don’t do it alone. With Quantiq, we protect your organization with our versatile range of solutions:
Contact us at firstname.lastname@example.org
Back to Press Releases