Petya, The Recent Ransomware Attack: All What You Need to Know

Following the recent attacks of the widely-known ransomware 2 months ago, the world witnesses its second major cyber attack this year, and it’s even stronger and more dangerous, so what happened this time? For



Following the recent attacks of the widely-known ransomware 2 months ago, the world witnesses its second major cyber attack this year, and it’s even stronger and more dangerous, so what happened this time?

For more information about the previous ransom-ware attack, check out this article: http://insidermasr.com/miu/10109/wannacry-what-is-it-and-whats-its-deal/

Petna, Petya or Notpetya?

The original Petya attacked around late March, 2016 and was halted by the 11th of April, 2016.

As for the current virus which Janus, the original creator of Petya refers to as “NotPetya” and Fabian Wosar, an expert in ransomware encoding refers to it as “Petna”.

[/media-credit] Original Petya 2016 threat screen

The reason after naming the recent virus is due to the similarity in the encryption mode that the virus carries out. As Fabian Wosar has stated that the resemblance is in the boot loader which encrypts the MFT (Master File Table) software, but they differ in the normal user mode and the dropper that installs the booter.

The Master File Table is a database where information of every file is stored.

Does it spread like WannaCry? And how different is it?

Although both viruses use the same exploit, which is called “EternalBlue”, the infection propagation is rather very different. WannaCry was far more invasive and spread across the internet, as it spread across SMBv1 (Server message block), meaning it could scan and infect other computers and so. Fortunately,

[/media-credit] Threat screen of Petna “NotPetnya”

there was a kill switch that disabled the ransomware, but alas, it had the potential to spread across the internet indefinitely. As for “NotPetya”, it mainly spreads via local networks and itsimplementation in the initial infection was exponentially large, which lead to many computers being affected.

Although Costin Raiu, Director & a member of Global Research & Analysis Team on kaspersky lab, suggested that there was a second initial infection of the virus as Ukrainian city of  Bahmut (Бахмут) was hacked and used to serve the malware.

Please consider avoiding visiting the link in the tweet, as it may be infected.

Moreover, Kasbersky labs have reached to a conclusion that NotPetya is more of a wiper than a ransomware, as the encryption key cannot be extracted as the ID information is randomly generated. For further information, check out their article here.

What is the source of the ransomware/wiper?

Initial infections were recorded in Ukraine on June 27th, and then it began to spread across 64 other countries including Brazil, Australia and the United States of America through lateral credential theft and impersonation. For further information, click Here.

It is generally believed that the attacks were a follow-up to an update released by an Ukrainian software company called MeDoc, and it’s currently facing allegations, which the company denies that it was involved in the spreading of the Malware. For further information, click here.

 

We will keep you updated in case new information is provided!

If you’re interested in further information, we recommend visiting Malwarebyte labs and Malware tech .