Special NTSC News Roundup: Petya
On Tuesday, June 27, 2017, another major ransomware virus called Petya ravaged the world by infecting more than 12,000 computers. At first, the attack looked similar to WannaCry but some key differences soon emerged:
- Petya appeared like ransomware but did not allow users to unencrypt files. Although the virus functioned like ransomware and even presented a ransom demand screen after a reboot, users were unable to pay the ransom and unencrypt files. Cybersecurity experts started calling it a wiper with ransomware-like behavior.
- Petya functioned as a worm, often bypassing the security of even patched operating systems. Once inside an organization, Petya was able to spread as a powerful worm even in cases when an operating system was patched.
- Petya remained mostly isolated to Europe, and especially the Ukraine. According to Symantec, “MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.”
Like WannaCry, Petya also originated from the same NSA EternalBlue exploit. These two major cyberattacks—occurring in rapid succession—are alarming both CISOs and lawmakers who are concerned about threats to national security and commerce. It’s unclear yet who orchestrated this cyberattack. Where WannaCry pointed to North Korea, Petya is currently thought to be the work of financially motivated cybercriminals or a nation-state like Russia.
We’ve collected and curated a variety of articles that will get you up to speed on Petya and offer a variety of viewpoints about this latest attack.
Also, read our Q&A with IBM Security's Wendi Whitmore where she goes into more detail about the nature of Petya, the global impact of the cyberattack, and what CISOs need to know in the aftermath.
WHAT IS PETYA?
These articles give detailed descriptions explaining everything technical that you want to know about Petya.
Petya Ransomware Campaign (IBM Security)
“While initially reported as another outbreak of wcry, X-Force attributes this activity to at least three new variants of Petya ransomware.”
Petya ransomware outbreak: Here’s what you need to know (Symantec)
Schroedinger’s Pet(ya) (Securelist)
“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made. It appears this malware campaign was designed as a wiper pretending to be ransomware.”
New ransomware, old techniques: Petya adds worm capabilities (Microsoft)
“On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.”
Petya, NotPetya? A Definitive FAQ (Barkly)
PETYA IS NOT RANSOMWARE
These articles talk about why Petya is not ransomware.
Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware (Bleeping Computer)
“The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.”
Ransomware Victims Unable to Decrypt Files After Email Provider Shuts Down Attackers' Inbox (Gizmodo)
“The consensus among malware experts now is that the cyberattacks launched Tuesday were merely disguised as ransomware. The malware—which Kaspersky Lab calls “NotPetya”—is actually a wiper, the purpose of which is to permanently damage its victims’ data. Despite previous reports, it no longer appears that the actor behind the attack was motivated by money.”
Petya.2017 is a wiper not a ransomware (Comae Technologies)
PETYA’S ORIGIN
This article discusses Petya’s origin in the Ukraine.
Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software (Bleeping Computer)
“Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies.”
PETYA’S EFFECTS
These articles discuss the global effects and impact of Petya.
Global ransomware attack causes turmoil (BBC)
Petya Ransomware Wreaks Havoc Across the Globe (Cyware)
“…the majority of the attack burden lies in Europe where several multinational companies spanning different sectors have been infected. As per preliminary reports, the victims include government banks, state electricity grid, telephone companies in Ukraine. The attack has disrupted functioning in various multinational companies like Saint-Gobain, Russian steel magnate Evraz and Rosneft, France’s Saint-Gobain and Danish shipping company AP Moller-Maersk.”
Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry (The Hacker News)
Cybersecurity stocks rally as ransomware attack targets thousands of computers (CNBC)
- The "Petya" ransomware attack has infected more than 12,000 computers around the globe, according to Microsoft.
- Cybersecurity stocks rose on Wednesday following the attack, which began the day before.
- Major businesses, such as Russia's Rosneft, have been targeted by the ransomware attack.
REPORTS OF A VACCINATION
Interestingly, a vaccination appeared that served to protect systems from Petya.
Create a single file to protect yourself from the latest ransomware attack (ZDNet)
“You can vaccinate your system in seconds from the Petya/NonPetya ransomware -- at least, for now.”
Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak (Bleeping Computer)
“To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.”
ADDITIONAL COMMENTARY