On Tuesday, June 27, 2017, another major ransomware virus called Petya ravaged the world by infecting more than 12,000 computers. At first, the attack looked similar to WannaCry but some key differences soon emerged:
Like WannaCry, Petya also originated from the same NSA EternalBlue exploit. These two major cyberattacks—occurring in rapid succession—are alarming both CISOs and lawmakers who are concerned about threats to national security and commerce. It’s unclear yet who orchestrated this cyberattack. Where WannaCry pointed to North Korea, Petya is currently thought to be the work of financially motivated cybercriminals or a nation-state like Russia.
We’ve collected and curated a variety of articles that will get you up to speed on Petya and offer a variety of viewpoints about this latest attack.
Also, read our Q&A with IBM Security's Wendi Whitmore where she goes into more detail about the nature of Petya, the global impact of the cyberattack, and what CISOs need to know in the aftermath.
WHAT IS PETYA?
These articles give detailed descriptions explaining everything technical that you want to know about Petya.
Petya Ransomware Campaign (IBM Security)
“While initially reported as another outbreak of wcry, X-Force attributes this activity to at least three new variants of Petya ransomware.”
Schroedinger’s Pet(ya) (Securelist)
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made. It appears this malware campaign was designed as a wiper pretending to be ransomware.”
“On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.”
Petya, NotPetya? A Definitive FAQ (Barkly)
PETYA IS NOT RANSOMWARE
These articles talk about why Petya is not ransomware.
Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware (Bleeping Computer)
“The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.”
“The consensus among malware experts now is that the cyberattacks launched Tuesday were merely disguised as ransomware. The malware—which Kaspersky Lab calls “NotPetya”—is actually a wiper, the purpose of which is to permanently damage its victims’ data. Despite previous reports, it no longer appears that the actor behind the attack was motivated by money.”
Petya.2017 is a wiper not a ransomware (Comae Technologies)
This article discusses Petya’s origin in the Ukraine.
Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software (Bleeping Computer)
“Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies.”
These articles discuss the global effects and impact of Petya.
“…the majority of the attack burden lies in Europe where several multinational companies spanning different sectors have been infected. As per preliminary reports, the victims include government banks, state electricity grid, telephone companies in Ukraine. The attack has disrupted functioning in various multinational companies like Saint-Gobain, Russian steel magnate Evraz and Rosneft, France’s Saint-Gobain and Danish shipping company AP Moller-Maersk.”
Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry (The Hacker News)
REPORTS OF A VACCINATION
Interestingly, a vaccination appeared that served to protect systems from Petya.
“You can vaccinate your system in seconds from the Petya/NonPetya ransomware -- at least, for now.”
Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak (Bleeping Computer)
“To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.”