Petya Ransomware, out of the sudden, has became the most talk-about words on the web. It has affected organization causing disruption on business process and system outrage. In merely a day, it has affected hundreds of organizations in Ukraine.
According to Nick Savvides, Security Advocate, Symantec Asia Pacific and Japan, “While the threat may have started in Eastern Europe, it has quickly spread across the world within a short time.”
He emphasized further, “Manufacturing organisations, which are highly concentrated in Asia, are particularly at risk as most do not apply updates and patches to their industrial computers as swiftly as corporate entities. This makes them especially vulnerable to rapid infections and complete shutdowns.”
What exactly is Petya? and what’s the difference between Petya and the recent WannaCry attack?
Similar to WannaCry, Petya is a ransomware attack that locks up files and it is using the ETERNALBLUE (MS17-010) Windows vulnerability as an infection vector to spread inside networks.
However, unlike WannaCry, Petya goes beyond file locking. It renders the victim’s computer completely inoperable through the attacking of the Master Boot Record (a key part of the startup system that helps to load the OS. It is also where key data about the hard disk partition stores).
From this point forwards, it restricts access to the system by seizing information of file names, sizes and location on the physical disk. Finally, Petya replaces the computer’s MBR with its own code, which displays the ransom note once the system is powered up.
How Petya has spread on the 27 Jun 2017?
According to Symantec blog, it is confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.
Petya is a worm, meaning it has the ability to self-propagate. Once it establishes a foothold (this case, in Ukraine), it starts to builds a list of target computers and spread to those computers via the following 2 methods:
- Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
- SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.
How bad had Petya caused across the globe?
The chart below gives an overview on the number of organizations affected by Petya Ransomware.
Products That Protects from Petya
- Cloud service providers usually protect the data from malware or ransomware attack. For instance, the Acronis Active Protection has been independently tested by MRG Effitas and AV Test, and has been proven effective against the threat of ransomware, and is now available with Acronis True image 2017 New Generation for consumers, as well as Acronis Backup 12.5 for businesses
- Use Reputable antivirus software – Companies like ESET and Norton Symantec will regularly post updates on the latest trend in cybersecurity space through their blogs. More importantly, users should keep a good habit in updating their antivirus software regularly so as to safeguard yourselves for such attack. You should follow ESET‘s and Norton Symantec‘s blogs to better understand of such attack.
Also published on Medium.