Petya is a type of ransomware that appeared in early 2016 and returned to a trick first seen in the early 1990s, whereby criminals do not encrypt all the files on your computer but instead they attack a part of the operating system called the Master File Table (MFT).
The MFT is essential for the system to know where to find files on the computer, so it has the same effect as if each file had been locked separately.
The big difference is that it is very much faster to attack the MFT than to encrypt each file separately.
The ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry”, said Ryan Kalember, of cybersecurity company Proofpoint.
In early 2017, a new form of Petya, dubbed Petrwrap, emerged which built on Petya but it corrected some of the weaknesses in the original code that allowed security companies to help people unlock their systems.
Whilst Petrwarp is detectable by antivirus checkers, if it manages to gain a foothold before it is stopped its encryption is so strong that you are unlikely to be able to break through to recover your files.
Now it appears that whilst the initial attack is probably still via something such as an infected spreadsheet arriving in an email, it can spread, at least in part, across a network using what appears to be the same weakness as was used in the Wannacry ransomware outbreak.
Veteran security expert Chris Wysopal said the malware seemed to be spreading via some of the same Windows code loopholes exploited by Wannacry. Many firms did not patch those holes because Wannacry was tackled so quickly, he added.
Those being caught out were also industrial firms that often struggled to apply software patches quickly.
Most organizarions hit by this attack have a challenge in patching and upgrading their machines since most systems cannot afford to have a downtime.
Copies of the virus have been submitted to online testing systems that check if security software, particularly anti-virus systems, were able to spot and stop it.
Crucially, unlike WannaCry, this version of ‘Petya’ tries to spread internally within networks, but not seed itself externally. That may have limited the ultimate spread of the malware, which seems to have seen a decrease in the rate of new infections overnight.
Is there any protection?Most major antivirus companies now claim that their software has updated to actively detect and protect against ‘Petya’ infections: Symantec products using definitions version 20170627.009 should, for instance, and Kaspersky also says its security software is now capable of spotting the malware. Additionally, keeping Windows up to date – at the very least through installing March’s critical patch defending against the EternalBlue vulnerability – stops one major avenue of infection, and will also protect against future attacks with different payloads.
For this particular malware outbreak, another line of defence has been discovered: ‘Petya’ checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won’t run the encryption side of the software. But this “vaccine”doesn’t actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network.
So is this just another opportunistic cybercriminal?
It initially looked like the outbreak was just another cybercriminal taking advantage of cyberweapons leaked online. However, security experts say that the payment mechanism of the attack seems too amateurish to have been carried out by serious criminals. Firstly, the ransom note includes the same Bitcoin payment address for every victim – most ransomware creates a custom address for every victim. Secondly, the malware asks victims to communicate with the attackers via a single email address which has been suspended by the email provider after they discovered what it was being used for. This means that even if someone pays the ransom, they have no way to communicate with the attacker to request the decryption key to unlock their files.