Petya ransomware cyber attack has affected major enterprises and nations across Europe, and now researchers are pointing out this is actually at wiper, not a ransomware which makes it much worse. In a new blogpost, Symantec has put out data looking at the countries that are worst affected by this cyber attack. While Ukraine has had the maximum impact globally, India is the worst hit in Asia, according to the security firm.
Symantec’s blogpost lists out the top 20 countries where Petya has had an impact. While Ukraine is on top, US is second, Russia is next, followed by France, UK, Germany and then India. China and Japan are next on the list of countries where Petya has played havoc.
Earlier it was reported that operations at one of three terminals in Mumbai’s Jawaharlal Nehru Port Trust (JNPT) had come to a halt thanks to the global cyber attack. According to reports, this terminal is operated by Danish shipping giant AP Moller-Maersk, which is still struggling with the cyber attack and has seen its systems crash.
The port has been trying to clear containers manually, but operational capacity has dropped to a third at the terminal, Anil Diggikar, chairman of Jawaharlal Nehru Port (JNPT), told Reuters. “This is fallout of global cyber attack. We are hopeful that operations will normalise in a day,” he added.
Researchers have pointed out that Petya is not really a ransomware, but rather a wiper. Essentially the aim of the malware is to delete all data, including data on the first sectors of the disk where the information about the operating system is usually stored. Kaspersky has reported that the hackers have no way of decrypting the data. The idea with this attack was to cause massive destruction of data, not to make financial gains.
According to Symantec’s blogpost, Petya uses the EternalBlue exploit to spread on the computer and take over the machine as well as the organisation network. It is exploiting the SMB network spreading techniques, and can spread easily in organizations, even if they have patched against EternalBlue vulnerability.
The Petya attack is believed to have started via MEDoc, which is a tax and accounting software package in Ukraine. Organizations in this country were the primary targets, according to reports. Symantec says Petya is a worm and has the ability to self-propagate. “It does this by building a list of target computers and using two methods to spread to those computers, IP address and credential gathering,” says the research firm’s blogpost.
Symantec also confirmed that Petya is modifying the master boot record (MBR) on the computer, which lets it take over the loading process for OS on the next reboot, and this is used to encrypt the hard disk. Once the reboot is done, it displays the message to the user, asking them to pay up to free their data. However, as research firms have confirmed there’s no point paying the hackers. The data cannot be recovered, as this program is a wiper, not a regular ransomware.
With Reuters inputs