Petya ransomware is part of a new wave of cyber attacks that has hit computer servers all across Europe, locking up computer data and crippling enterprise services in the corporate sector. Ukraine and Russia are the worst affected, though the attack has also impacted some companies in the US and other Western European countries. So what exactly is the Petya ransomware attack, and how does it affect a PC? Also what exactly can one do to protect themselves against the ransomware? We explain everything you need to know.
What is Petya ransomware? What vulnerability is it exploiting it in the Windows system?
Petya is a ransomware, similar to the Wannacry attack. According to Security Research firm Kasperksy, Petya could be a variant of Petya.A, Petya.D, or PetrWrap. However, the firm doesn’t think this is a variation of the WannaCry cyber attack.
The post from Kaspersky also notes Petya is exploiting the same EternalBlue exploit that was used by Wannacry attack. The blogpost notes, “This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within corporate networks.”
For those who don’t remember, WannaCry attack affected over 300,000 computers globally, and this one also exploited this particular security vulnerability in Microsoft’s Windows systems. Microsoft had issued a security patch to fix the ‘EternalBlue’ exploit in Windows 10, Windows 8,7 and even Windows XP PCs. The problem is the same as with many of the Windows updates: people might not have applied the security patch or downloaded the update.
How exactly does Petya spread? What does it do to an infected computer?
Petya is a ransomware, and it follows WannaCry’s pattern. The ransomware locks up a computer’s files and demands $300 Bitcoins as ransom to unlock the data. All data on a computer gets encrypted.
This message is flashed on a computer, “If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
According to Kaspersky security team, in order get the credentials to spread, the ransomware relies on a custom tool called “a la Mimikatz.” This extracts credentials from the lsass.exe process, which is one of the crucial files in the Windows system. This stands for Local Security Authority Subsystem Service.
The attack is believed to have started against an update used on a third-party Ukrainian software called MeDoc, which is used by many government organisations in the country. According to reports, this is also the reason why Ukraine was the worst affect in the lot. Kaspersky says over 60 per cent of attacks took place in Ukraine, and Russia is second on the list with 30 per cent. But these are just the initial findings from Kaspersky.
Once the malware infects the computer, it will wait for an hour or so, and then reboots the system. After the rebooting, the files are encrypted and a user get a ransom note on their PC asking them to pay up. Users are also warned against switching off their PC during the rebooting process, because it could make them lose their files.
As the Kaspersky blog points out, attackers want the Bitcoins to be paid and victims are asked to send the ransom to a particular address, and then the Bitcoin wallet id and personal number via e-mail to an address “firstname.lastname@example.org”, confirming the transaction has been made.
So how can the ransomware attack be stopped?
The malware seems to infect the entire network, and known server names. According to Kasperky, “Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.” So yes, this is a fairly comprehensive cyber attack.
When it comes to decrypting files, currently there is no solution. According to the security researchers at Kaspersky, “the ransomware uses a standard, solid encryption scheme.” The firm notes that unless the hackers made a mistake, the data can’t be accessed.
So who is behind the Petya cyber attack? What all companies, countries have been impacted?
Researchers are still looking for who is responsible for this attack. But the impact of this is serious. In Ukraine, government offices, energy companies, banks, cash machines, gas stations, and supermarkets, have all been impacted, reports Associated Press. The Ukrainian Railways, Ukrtelecom, and the Chernobyl power plant was also affected by the attack.
Multinational companies like law firm DLA Piper, shipping giant AP Moller-Maersk, drugmaker Merck as well as Mondelez International, which is the owner of food brands such as Oreo, Cadbury, was also impacted. In the US, some hospitals have also been impacted by this cyber attack. Poland, Italy and Germany are other countries affected by the cyber attack. In India, the Jawaharlal Nehru Port has been impacted given Moller-Maersk operates the Gateway Terminals India (GTI) at JNPT. This has capacity for over 1.8 million standard container units.
So what happens now?
For starters, it seems the email address, which was being used by the hackers, has been suspended by the service provider. In a blogpost Posteo wrote, “We became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away.” Posteo also confirmed that it was no longer possible for the attackers to access the email, send mails, or access the account.
Users who have lost their data can’t really recover it unless they have a backup. There’s no way of getting the decryption key from the hackers, since the email account has been shut down. However, according to a tweet from HackerFantastic, when the system goes in for a reboot, the user should power off the PC. His tweet reads, “If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine.”
The problem with Petya is that right now researchers have no solution for decrypting these files. There’s also no way of stopping the attack from the spreading, given it exploits vulnerabilities in the network.
For users, it is best to keep a back up of all their data. Preferably this data should not be online, and it should be encrypted. Users should also not click on email links from suspicious ids or click on links asking for access to personal information. Also keep your Windows PC updated with the latest software.