Here is why Petya is not a Typical Ransomware

Here is why Petya is not a Typical Ransomware

This week, another ransomware called “Petya” attacked major companies around the globe. 

The Victims

​Petya attacked the computers at the Chernobyl nuclear plant, forcing workers to manually monitor the plant’s radiation. The ransomware also attacked the computers of major global companies including Russian oil and gas giant Rosneft, Cadbury and Oreo-maker Mondelez, British advertising giant WPP, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, real estate subsidiary of French bank BNP Paribas and multinational law firm DLA Piper.
 
Microsoft, in a blog post, said that than 70% of the computers attacked by Petya were in Ukraine, while computers in other countries were also affected in significantly lower volumes. Microsoft added that the majority of Petya infections were observed in Windows 7 computers. 

How Does Petya Spread and Infect Computers

​Cyber security firms Kaspersky Lab and Symantec, and even Microsoft confirmed that Petya ransomware uses the Eternal Blue – a Microsoft Windows’ exploit believed to be originally developed for the use of the U.S. National Security Agency (NSA). The Eternal Blue is the same exploit used in WannaCry – another ransomware that affected hundreds of thousands of computers worldwide less than two months ago.
 
“Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself,” Symantec said. “However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.”
 
In addition to exploiting Microsoft Window’s vulnerability, Symantec said this latest ransomware spreads by acquiring usernames and passwords and spreading across network shares. According to Symantec, the Petya ransomware that started propagating last June 27 is a variant of an original Petya – a malware known to be in existence since 2016 – that not just encrypt files, it also overwrites and encrypts the master boot record (MBR).
 
Kaspersky Lab, for its part, said that this latest ransomware is significantly different from all earlier known versions of Petya, as such the cyber security firm calls it “ExPetr” or “NotPetya”.
 
In the new Petya – the term we use here as the world media adopted this name – cyber criminals demand from each of their victims to pay $300 in bitcoins to recover files. The following ransom note is displayed on the victim’s infected computer: 

​Cyber criminals behind the Petra ransomware attack use an email from the German email provider Posteo as a means to contact their victims. Upon learning that its email platform was used by cyber criminals, Posteo blocked the email account used by the Petra perpetrators on the same day that the ransomware was released to the wild.
 
As a result of Posteo’s email blockade, Petra’s victims will have no way to contact the people behind the latest ransomware attack. The Posteo’s email was supposed to be a venue where the victims would contact the blackmailers, telling them whether they’ve sent the bitcoins and from which they would receive decryption keys.

A complete technical analysis is available from the US-CERT, published on July 1, 2107.

Wiper vs Ransomware

​According to Kaspersky Lab, even without the email blockade, there’s still no way that victims can recover their files as the ransomware was designed in such a way that it’s impossible for victims to recover their data. To decrypt files, cyber criminals need the installation ID. Kaspersky Lab said other ransomware such as the old Petya, Mischa and GoldenEye have installation ID for file recovery.
 
In the new Petya, even the cyber criminals themselves can’t decrypt the victims’ files. The installation key shown in the new Petya ransom note, Kaspersky Lab said, is just a random gibberish, “which means that the threat actor could not extract the necessary information needed for decryption.”

According to Symantec, the encryption performed by Petya is twofold:

• First encryption happens as soon as the attack occurs, encrypting specific file types in user-mode; and 
• After a computer system reboot occurs, a second encryption – a disk encryption begins, and the ransom note is displayed to the user. A randomly generated Salsa20 key is used for disk encryption.

Symantec said that the "installation key" referred to in the ransom note is a randomly generated string that’s displayed to the user. The problem though, according to Symantec, is that the installation key and Salsa20 key have no connection at all, making it impossible to decrypt the files in the infected computer. “This demonstrates that Petya is more accurately a wiper rather than ransomware,” Symantec said.
 
“Either it was a sophisticated actor who knew what they were doing – except screwed up horribly on the part where they actually get paid or it wasn’t about the ransom in the first place,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, told the New York Times.
 
“They are no longer collecting a ransom [referring to the new Petra ransomware],” Justin Harvey, managing director of global incident response at Accenture Security, told the New York Times. “They are just being destructive.”
 
If the main motive of the ransomware is money, Harvey said, cyber criminals typically set up multiple avenues to collect funds from their victims. The recent ransomware attack uses a single email address and a single bitcoin wallet for electronic payments.

How to Prevent Ransomware Attacks

Here are some of the ways to prevent ransomware attacks like the new Petya:

1. Use the latest operating system and make sure that most current updates are installed
It’s worthy to note that according to Microsoft, most of the Petya victims use Windows 7. Microsoft said that Windows 10 and its new streamlined operating system Windows 10 S block this type of attack by default.
 
2. Back up your data
Early this month, Nayana, a web hosting company in South Korea, agreed to pay more than $1 million to ransomware criminals to unlock its servers. This is believed to be the biggest ransomware payout on record. Backing up your data either offline or in the cloud protects your business from ransomware attacks. Cyber criminals will have no leverage on your business if you can easily retrieve your data somewhere else.

Businesses must backups and most importantly test the backups by performing test restores. Home users could protect their data by subscribing to one of many cloud storage and file sharing services.

Since the most important thing to protect your data against ransomware is to make sure that the operating system are always up to date,  always ask your IT department to demonstrate that they have a solid vulnerability and patch management solution to keep the information safe. 

Connect with us today, and our experts will answer your questions.