Few weeks back, we have seen a massive wannacry ransomware attack spreaded around the world and infected hundreds of thousands of computers and locking their owners out of files. Now, it appears another piece of malware is infecting machines at scale. Tuesday afternoon, a new malware called “petya ransomware” or “petwrap ransomware” attacked many of the computers at corporates, power supplies, and banks across across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins. .
The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack.
It also disruption at firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.
The food giant Mondelez, legal firm DLA Piper and Danish shipping and transport giant AP Moller-Maersk also said their systems had been hit by the malware
What is Petya ransomware ?
Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya ransomware replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
How petya ransomware is affecting?
Petya ransomware is spreading over the Microsoft Windows SMB protocol. It uses the Eternalblue exploit tool, which exploits CVE-2017-0144 and this is the exploit Wannacry exploited to spread globally in May,2017.
“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.” Confirmed by Mikko Hypponen, Chief Research Officer at F-Secure.
After the system is compromised the victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to firstname.lastname@example.org to retrieve their individual decryption key.
As of 01:38 IST on Jun 28th, 30 payments have already been made to attackers wallet.
How to protect from petya ransomware?
We will be updating shortly with full details on prevention of Petya ransomware.
Windows users should take the following general steps to protect themselves:
- Apply security updates in MS17-010
- Block inbound connections on TCP Port 445
- Create and maintain good back-ups so that if an infection occurs, you can restore your data.
Attacked by Petya ransomware?
Please don’t pay money to the attacker if your computer is affected by petya ransomware. You wouldn’t get your files back. Email (email@example.com) used by attacker has already blocked once the petya attack has detected on Tuesday. Please click here for confirmation.
Targetted Extensions of Petya ransomware.