‘Petya’ is the second global ransomware attack to occur in just two months following the infamous WannaCry attack in May 2017. Companies around the world have been crippled by the latest Petya attack, which first appeared on June 28. The Ukraine government was severely hit, as were banks and electricity grids, and other companies in France, Denmark and the State of Pennsylvania.
The Petya attack comes just months after the WannaCry attack that took place over the weekend of May 12, causing data to be encrypted with a claim for payment. WannaCry was a malicious program that affected smartphones and computers, encrypting and locking data so that it could not be accessed until payment was made. The attack hit the UK’s NHS, Spanish telecoms giant Telefónica, and other businesses and institutions around the world.
This time, victims of the latest Petya attack were left unable to unlock their computers even if they paid the ransom to the hackers. Their computers displayed a message demanding a $300 bitcoin ransom. Those who paid were asked to send confirmation of payment to an email address, according to a report by The Guardian, but that email address was been shut down by email providers.
German email provider Posteo said in a blog post: “We do not tolerate any misuse of our platform.” This means that there was no longer a way for those with infected computers to pay the ransom to potentially obtain a decryption key to unlock their computer and save their information.
The Petya virus began circulating on June 28 and quickly spread around the world, mainly infecting businesses and government agencies and departments in Ukraine and Russia at first. The malware itself appears to be a straightforward ransomware program, according to Becky Pinkard, vice president of Service Delivery and Intelligence Operations at security firm Digital Shadows.
“Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted,” she said. “The program then instructs the user to pay the $300 ransom to a static Bitcoin address, and then email the bitcoin wallet and personal ID to the email address, which is now blocked.”
There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilizes the EternalBlue SMBv1 worm functionality, Pinkard adds. “More work is needed to investigate the way the virus propagates,” she said. “In the meantime, businesses are urged to ensure their software is up-to-date and all files backed up.”
The Guardian said after the attack was first reported in Ukraine, the radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone. The nation suffered from attacks on the government, banks, state power and utility, and Kiev’s airports and metro system.
Other major firms to feel the brunt of the Petya attack include food giant Mondelez, legal firm DLA Piper, Danish shipping and transport company AP Moller-Maersk, and Heritage Valley Health System, which runs hospitals and healthcare facilities in Pittsburgh, Pennsylvania. Maersk had all of its business units affected, including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers.
In addition, public relations firm WPP said the computer systems at several of its subsidiary companies had been affected by Petya. The company said it was “assessing the situation and taking appropriate measures” to counter the attack. In an internal memo to staff, one WPP branch claimed it was the target of “a massive global malware attack, affecting all Windows servers, PCs and laptops.”
According to some security experts, the Petya attack showed signs of being an “updated variant” of a virus known as Petya or Petwrap, a ransomware that locks computer files and forces users to pay a designated ransom to regain access to the computer. However, analysts at Kaspersky Labs claim the latest attack is “a new ransomware that has not been seen before.”
In a statement Kaspersky Labs said the company’s analysts are “investigating the new wave of ransomware attacks targeting organizations around the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya.”
Organizations in Russia and Ukraine were “most affected” by the attack, Kaspersky claims, and hits were also registered in Poland, Italy, Germany, the UK, the US, and several other countries. “This appears to be a complex attack which involves several attack vectors,” the statement adds. “We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.”
The EternalBlue exploit is a tool originally discovered by the US National Security Agency (NSA) which kept the virus on file as a potential tool to use for surveillance or other issues. It was compromised when a group of hackers, known as Shadow Brokers, in April 2017 released a cache of stolen NSA documents on the internet, including details about the WannaCry vulnerability. The virus could only affect Windows computers run by Microsoft.
Microsoft lashed out at the NSA and other spy agencies for stockpiling vulnerabilities instead of reporting them to computer companies to be fixed. The danger of stockpiling digital weapons has prompted calls for a “Digital Geneva Conventions” to govern their use.
Microsoft released a software update in March 2017 that would protect users against the vulnerability for operating systems such as Windows XP and Windows Server 2003, but it soon became apparent that many people didn't bother to update their computers, thus exposing computers to the WannaCry attack.
Symantec cyber security experts said they had confirmed that the ransomware used in the Petya attack was using the same EternalBlue exploit as WannaCry. In order for Petya to spread within companies that installed the patch to protect themselves against WannaCry, it appears to have other ways of spreading quickly within an organization, by targeting the network’s administrator tools.
Who’s to blame?
Ukraine has suffered from a range of hacking attempts on state websites in late 2016 and the Petya attack is yet another blow for Ukraine. Prime Minister Volodymyr Groysman said the attack was “unprecedented” but said vital systems were not affected. “The attack will be repelled and the perpetrators will be tracked down,” he said.
The nation’s main airport was temporarily closed following the attack as well as the metro system. The central bank claimed the attack was the result of an “unknown virus”. In a statement it said: “As a result of these cyber-attacks, these banks are having difficulties with client services and carrying out banking operations.”
Russia has been blamed for previous cyber-attacks against Ukraine in the past, including an attack on the nation’s power grid at the end of 2015 that rendered part of western Ukraine temporarily without electricity. However, Russia firmly denied any involvement.
Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks and as the Petya attack highlights, there are many ways for an infection to enter an organization, says Steven Malone, director of security product management at Mimecast, an international company specializing in cloud-based email management for Microsoft.
“It’s vital you regularly backup critical data and ensure that ransomware cannot spread to backup files,” he says. “Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection begins.”
The new Petya outbreak once again highlights the disruptive power of ransomware like never before. The fight against cyber-attacks has seen protection spending rapidly increase around the world, with the global cyber security market estimated to be worth some $120 billion this year.