Petya Malware Exposes Vulnerabilities in Computer Software
Several organizations in both Europe and in the US have been brought to their knees thanks to a ransomware attack called “Petya.” This is malicious software that has made its way through several large firms including Mondelez, a food company, WPP, an advertiser, Maersk, a Danish logistics company, and DLA Piper, a legal firm. All of these companies have experienced computer and data lock ups and asked to pay a ransom for access.
This attack is troubling because it is the second major ransomware attack in two months, which has affected companies all over the world. You might remember that in May, the National Health Service, NHS, in Britain, was infected by malware called WannaCry. This program affected the NHS and numerous other organization across the globe. WannaCry was first revealed to the public when leaked documents related to the NHS were released online by hackers known as Shadow Brokers in April.
The WannaCry software, also called WannaCrypt, affected an excess of 230,000 computers, which were located in more than 150 countries across the globe. In addition to the NHS, Telefonica, a Spanish phone company, and state railways in Germany were also attacked.
Similar to WannaCry, “Petya” rapidly spreads throughout networks that utilize Microsoft Windows. The question, however, is what is it? We also want to know why it is happening and how it can be stopped.
What Is Ransomware?
The first thing you must understand is the definition of ransomware. Basically, ransomware is any type of malware that works to block your access to a computer or data. Then, when you try to access that computer or the data on it, you cannot get to it unless you pay a ransom. Pretty nasty, and downright mean!
How Does Ransomware Work?
It is also important to understand how ransomware works. When a computer is infected by ransomware, it becomes encrypted. This means that documents on your computer are then locked, and you cannot open them without paying a ransom. To further complicate things, the ransom must be paid in Bitcoin, not cash, for a digital key that you can use to unlock the files. If you don’t have a backup of your files, you have two choices: you can pay the ransom, which is usually a couple of hundred dollars to several thousand dollars, or you lose access to all of your files.
How Does the “Petya” Ransomware Work?
The “Petya” ransomware works like most ransomware. It takes over a computer and then asks for $300 in Bitcoin. This is malicious software that quickly spreads across a network or organization once a single computer is infected. This particular software uses the EternalBlue vulnerability, which is part of Microsoft Windows. Though Microsoft has now released a patch for the vulnerability, not everyone has installed it. The ransomware is also potentially spread via Windows administrative tools, which is accessible if there is no password on the computer. If the malware cannot get in one way, it automatically tries another, which is how it has spread so quickly among these organizations. Thus, “Petya” spreads much easier than WannaCry, according to cyber security experts.
Is There Any Way to Protect Yourself From “Petya?”
You are probably wondering at this point if there is any way to protect yourself from “Petya.” Most major antivirus companies have claimed that they have updated their software to help to not only detect but to protect against the “Petya” malware infection. For example, Symantec software offers protection from “Petya,” and Kaspersky has updated all of its software to help customers protect themselves from the malware. On top of this, you can protect yourself by keeping Windows updated. If you don’t do anything else, at least install the critical patch that Windows released in March, which defends against this EternalBlue vulnerability. This stops one of the major ways to become infected, and it also protects against future attacks.
Another line of defense for the “Petya” malware outbreak is also available, and it has only been recently discovered. The malware checks the C:\ drive for a read-only file called perfc.dat. If the malware finds this file, it does not run the encryption. However, even if you have this file, it doesn’t actually prevent the malware infection. It can still spread the malware to other computers on a network even if the user doesn’t notice it on their computer.
Why Is This Malware Called “Petya?”
You might also be wondering why this malware is named “Petya.” Actually, it’s not technically called “Petya.” Instead, it seems to share a lot of code with an old piece of ransomware that was called “Petya.” Within the hours following the initial outbreak, however, security experts noted that these two ransomwares were not as similar as it was first thought. So, researchers at Kaspersky Lab started referring to the malware as “NotPetya,” (that’s original!) as well as other names including “Petna” and “Pneytna.” Additionally, other researchers called the program other names including “Goldeneye,” which Bitdefender, from Romania, began calling it. However, “Petya” had already stuck.
Where Did “Petya” Start?
Are you wondering where “Petya” started? It seems to have begun through an update mechanism from software that is built into a certain accounting program. These companies were working with the Ukrainian government and required by the government to use this particular program. This is why so many companies in the Ukraine have been affected by this. The organizations include banks, government, the metro system of Kiev, the major Kiev airport, and state power utilities.
The system that monitors the levels of radiation at Chernobyl was also affected by the ransomware, and was ultimately taken offline. This forced employees to use manual hand-held devices to measure the radiation in the exclusion zone. On top of this, there was a second wave of malware infections that were spawned by a campaign that featured e-mail attachments, which were filled with malware.
How Far Has the “Petya” Infection Spread?
The “Petya” ransomware has spread far and wide and has disrupted the business of companies in both the US and in Europe. For instance, WPP, an advertising firm in the US, Saint-Gobain, a construction materials company in France, and both Rosneft and Evraz, oil and steel firms in Russia, were also affected. A Pittsburgh company, Heritage Valley Health Systems, has also been hit by the “Petya” malware. This company runs hospitals and care facilities throughout the Pittsburgh area.
However, unlike WannaCry, the “Petya” malware attempts to spread quickly through networks it accesses, but it does not attempt to spread itself outside of the network. This fact alone might have actually helped potential victims of this malware, as it has limited the spread of it. So, there seems to be a decrease in how many new infections have been seen.
What Is the Motivation for Cybercriminals Who Send Out “Petya?”
When “Petya” was initially discovered, it seems that the outbreak of the malware was simply an attempt by a cybercriminal to take advantage of leaked online cyber weapons. However, when security professionals looked a bit more closely at the “Petya” malware outbreak, they say that some mechanisms, such as the way payment is collected, is quite amateurish, so they don’t believe serious cybercriminals are behind it.
First, the ransom note that comes with the “Petya” malware includes the exact same payment address for every malware victim. This is strange because the pros create a custom address for each of their victims. Second, the program asks its victims to directly communicate with the attackers via a specific email address, which was immediately suspended when it was discovered that the email address was used for “Petya” victims. This means that even if a person pays the $300 ransom, they cannot communicate with the attackers, and furthermore, they cannot access the decryption key to unlock the computer or its files.
Who Are the Attackers, Then?
Cyber security experts don’t believe a professional cybercriminal is behind the “Petya” malware, so who is? No one knows at this point, but it is likely that the person or persons who released it wanted the malware to look like simple ransomware, but instead, it is much more destructive than typical ransomware. A security researcher, Nicolas Weaver, believes that “Petya” is a malicious, destructive, and deliberate attack. Another researcher, who goes by Grugq, believes that the original “Petya” was part of a criminal organization to make money, but this “Petya” is not doing the same. They both agree that the malware was designed to spread quickly and to cause a lot of damage.
As we mentioned, Ukraine was hit quite hard by “Petya,” and the country has pointed its fingers at Russia. This isn’t surprising considering Ukraine has blamed Russia for a number of previous cyber attacks, too. One of these cyber attacks occurred in 2015, and it was aimed at the Ukrainian power grid. It ultimately ended up temporarily leaving parts of western Ukraine without any power. Russia, however, has denied any involvement in cyber attacks on Ukraine.
What Should You Do If You Believe You Are a Victim of Ransomware?
Do you think you might be the victim of a ransomware attack? This particular attack infects a computer and waits approximately an hour before the computer begins to spontaneously reboot. If this happens, immediately try to turn the computer off. This might prevent the files on the computer from being encrypted. At that point, you can try to take the files off of the machine.
If the computer finishes the reboot and a ransom not appears, do not pay it. Remember, the email address used to collect information from the victims and to send the key is shut down. So, instead, disconnect the PC from the internet and the network, reformat the hard drive and then use a backup to reinstall the files. Make sure you are always backing up your files on a regular basis and always keep your antivirus software updated.