A new ransomware dubbed “Petya” started spreading across Europe on Tuesday, affecting businesses and governments that weren’t sufficiently protected. But its reach has not been restricted to just Europe, as India has suffered at the hands of Petya ransomware. This is the second public ransomware attack in as many months, following up on the WannaCry ransomware that affected 230,000 in over 150 countries.
The ransomware’s name comes from the fact that it behaves similar to a ransomware from last year by the same name, which encrypted a hard drive’s index page and overwrote the booting instructions. Some security researchers – including those at Kaspersky – have noted that it’s not a variant of last year’s Petya ransomware, but rather one that just behaves like it. That’s why you might also see people calling it “NotPetya” or “Nyetya”.
It’s still very early, even for security experts, to predict the fallout of Petya ransomware, but here’s what we do know about the new ransomware, from the affected organisations, and who’s behind it, to how it’s spreading across the world.
Who has been affected by Petya ransomware?
According to multiple reports, Petya ransomware was first delivered via an update for a Ukrainian accounting software called MeDoc, using a false digital signature. While the company has denied the allegations, researchers at Kaspersky and Talos Intelligence, as well as the Ukrainian cyberpolice, have confirmed the findings.
Since MeDoc is one out of two approved accounting programs in Ukraine, as per a security researcher, Petya spread across Ukraine like wildfire, hitting both government services and foreign companies. It affected the country’s national bank, the state power company, and the largest airport: Kiev’s Borispol Airport. It has even affected the Chernobyl nuclear power plant, according to The Independent, which has been forced to fall back on older technologies for radiation monitoring.
Petya ransomware also hit Danish shipping giant Maersk, and has since affected the likes of British advertising giant WPP; Russian oil producer Rosneft, steel maker Evraz, and Russian branches of Home Credit Bank; French construction material manufacturer Saint Gobain; US pharma company Merck & Co, and confectionery giant Mondelez; Germany’s Deustche Post and Metro operations in Ukraine; and Dutch shipping firm TNT Express.
What about Petya’s impact in India?
Due to Petya ransomware, the India operations of German personal care company Beiersdorf AG, and British consumer goods company Reckitt Benckiser have been hit, as per reports. The ransomware has also halted work at one of the terminals at India’s largest container port, Jawaharlal Nehru Port (JNPT) off the east coast of Mumbai. The reason for that is because Maersk’s offices in the Netherlands were infected by Petya, which handles containers at Gateway Terminals India (GTI) at JNPT.
How is Petya different from WannaCry?
Petya relies on the same NSA-leaked EternalBlue exploit that was used by WannaCry, but that’s only one of its strategies to burrow itself across computers on a network. Microsoft issued a patch for affected Windows versions, but businesses take time to install updates in fear of breaking compatibility with existing software. That’s exactly why the people behind Petya are targeting organisations in the first place, since they are much more vulnerable than an individual user.
And unlike WannaCry, the new Petya ransomware doesn’t have a kill-switch that was discovered by security researcher MalwareTech mere days in. Making it worse, Petya needs only a single fault in a network, so as long as one machine on a company’s network hasn’t applied the Microsoft patch, it can then infect every other computer on that network too.
Thankfully, Petya is designed to spread inside one company rather than across the globe, says MalwareTech, which means it only scans on the same local network rather than the Internet. Since networks are limited in size, Petya should stop spreading much sooner than WannaCry, which still continues to spread.
How does Petya ransomware work?
Apart from using a modified version of the EternalBlue exploit, Petya is making use of two Windows system utilities to move inside a network. They are called Psexec and Windows Management Instrumentation (WMI), and both allow Petya to gain remote admin access on local computers.
“To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz,” Kaspersky noted in its preliminary analysis. “These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.”
Once it infects a computer, Petya waits for 10-60 minutes, and then reboots the computer with a scheduled task. Upon reboot, it encrypts the Master File Table – the so-called hard drive’s index – and then overwrites the Master Boot Record (which contains instructions for where the system OS is located) with a custom loader. It also places a ransom note, to explain what users must do to regain control of their computers.
Post that, the ransomware obtains a list of computers on the same network, and then checks whether two TCP ports – 139 and 445 – are open. If they are, Petya then proceeds to infect them with one of the above methods.
Who is behind it? And what are their demands?
There’s no clarity yet on who is behind it, except an email address (“[email protected]”) that’s now defunct. But judging by the attackers’ initial target, it’s clear that they intended to affect government and business operations in Ukraine. The country has blamed its neighbour Russia for previous cyber-attacks, including one that took down its power grid in 2015. It’s possible there’s some correlation, or it could be just coincidence.
As for their demands, the ransom note that’s displayed after the Petya infection asks for the equivalent of $300 (roughly Rs. 19,300) in Bitcoin to a unified Bitcoin address. After that, you must send a confirmation of the payment to an email address upon which the attackers will send you a decryption key.
While some people made payments on Tuesday night, ransom payments aren’t advised any more as the email address being used for confirmation has been shut down by the email provider. That means even if you’re okay paying $300 for your data, it’s impossible for the attackers to send you a decryption key.
How can I protect myself? And what do I do if I’m already infected?
As an individual user, you should ensure that you’re using a fully-updated version of Windows. If you’re on an older release due to a company policy, talk to your IT department to apply the MS17-010 patch issued by Microsoft. You should also consider using anti-malware software such as Kaspersky Internet Security to scan for problems, and the company claims the updated versions of its software can now detect the malware. Symantec security products with virus definition 20170627.009, and above, are also protected, a report by The Guardian notes. For organisations, it’s advisable to disable Psexec and WMI, and apply the Microsoft patch to all systems if it hasn’t already been done.
Since Petya only encrypts your computer upon reboot, you should shut down your computer if you believe you’ve been infected. If you see this screen upon reboot, shut down your computer immediately. You can also follow this guide to trick the ransomware into not running, though it’ll need to be used on every computer if you’re part of a network.
In case you find yourself on the ransom note screen, there’s nothing you can do unfortunately as the attackers’ email address is now invalid. You’ll need to format your hard drive, and do a fresh install of Windows.