Petya: The story so far

Ransomware initially targeted individuals through phishing or other infection techniques that required user interaction. While profitable to the cybercriminals, such campaigns took time to reach a big scale. The WannaCry attack that happened in May, took ransomware to the next level by introducing worm-based compromise of machines. This Tuesday’s attacks, named Petrwrap or Petya are part of a natural evolution of ransomware technology and build on the techniques established by WannaCry.

However, unlike WannaCry, Petya is a different kind of ransomware. Common delivery methods are via phishing emails, or scams. The payload requires local administrator access. Once executed, the system’s Master Boot Record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process.

Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems. It is when the machine is rebooted to encrypt the MFT that the real damage is done.

Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab

“Tuesday’s attacks used a different form of ransomware similar to a virus known as Petrwrap or Petya, according to Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab.

“By mid-afternoon (on Tuesday), breaches had been reported at computers governing the municipal energy company and airport in Ukraine’s capital, Kiev, the state telecommunications company Ukrtelecom, the Ukrainian postal service and the State Savings Bank of Ukraine. Payment systems at grocery stores were knocked offline, as well as the turnstile system in the Kiev metro,” added Raiu.

Security experts have confirmed that this new variant has swept the globe impacting a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. It is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected. The ransomware demands that the infected user can only recover their data by paying a ransom of approximately $300 worth of bitcoins.

John Miller, Senior Manager, Analysis at FireEye

“Petya is ransomware family that is atypical in that the malware does not encrypt individual files on victims’ systems, but instead overwrites the master boot record (MBR) and encrypts the master file table (MFT), which renders the system inoperable until the ransom has been paid. The malware contains a dropper, custom boot loader, and a small Windows kernel that executes additional encryption routines,” stated John Miller, Senior Manager, Analysis at FireEye.

FireEye is further investigating whether this activity constitutes a significantly novel threat or an extension of known issues, as widespread ransomware campaigns are a regular occurrence at this time.

Cisco’s security research organisation, Talos’ initial analysis points to the attack starting in the Ukraine, possibly from software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc itself. MeDoc is a widely-used tax software used by many organisations in or doing business with Ukraine. There have been other reports of this attack appearing in France, Denmark, Spain, the UK, Russia and the US.

Kalle Bjorn, Director, Systems Engineering at Fortinet

It appears that this attack started with the distribution of an Excel document that exploits a known Microsoft Office exploit, says Kalle Bjorn, Director, Systems Engineering at Fortinet. “Once a device is infected through this vector, Petya begins to take advantage of the same vulnerability used by Wannacry to spread to other devices. The worm-like behaviour exhibited by this malware is due to its active probe for an SMB server. It appears to be spreading thru EternalBlue and WMIC,” Bjorn explained.

Becky Pinkard, Vice President, Service Delivery and Intelligence Operations at Digital Shadows

According to security experts from Digital Shadows, there is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilizes the #ETERNALBLUE SMBv1 worm functionality. “More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up,” Becky Pinkard, Vice President, Service Delivery and Intelligence Operations at Digital Shadows.

Once a vulnerable device has been targeted, Petya appears to impair the Master Boot Record (MBR) during the infection cycle. It then provides the user with a ransom note stating, ‘Your files are no longer accessible because they have been encrypted,’ and demanding approx. $300 ransom in the Bitcoin digital currency. It then specifies that shutting down the computer will result in the complete loss of the system. After this ransomware enters the system, it uses three ways to spread automatically around a network, one of which is the known Eternal Blue vulnerability, similar to how last month’s WannaCry attack unfolded.

In contrast to other reports, Kaspersky Lab’s preliminary findings suggest that this attack is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality and has been named ExPetr by the company. Kaspersky Lab experts will continue to examine the issue to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.

By stealing credentials from machines that it infects, Petya is also able to infect fully patched machines, which is how Petya has drastically amplified the impact and scale of the attack.  What’s clear from this, and recent attacks, is that organisations must prioritise patching systems to lower their risk profile. In addition, making back-ups of key data is a fundamental of any security program. This new outbreak once again highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged.

With IoT and connected devices being an integral part of everyday life, the digital attack surface area is bound to grow. This gives the attackers more opportunities to infiltrate data. This latest wave of what looks to be ransomware is just another example of the real-world threats encountered by organisations, governments and countries all over the world. Furthermore, by attacking healthcare, postal services, and transport services (among others) these attacks are affecting people’s day-to-day activities as well.

As per recent updates, Petya has not yet impacted organizations in the Middle East, but it is possible that we will see some infections in this region as well.