#Petya/#NotPetya – your questions answered
OK, what’s gone on?
Early on Tuesday, June 27, reports started coming in of a sustained cyber attack initially believed to be a state-sponsored attack on Ukraine, billed as a more sophisticated version of the WannaCry ransomware that wrought havoc across the world only last month. One of Ukraine’s deputy prime ministers tweeted a picture of his laptop, with a fake drive integrity scan masking the installation of high-grade ransomware. Affected systems in Ukraine are not limited to PCs across the government, public sector and businesses of all sizes but include bank ATMs, airport security scanners, supermarket POS systems and even the radiation monitoring devices installed at the site of the Chernobyl disaster.
Over the next few hours, as global institutions ranging from WPP to Maersk, DLA Piper to Saint-Gobain and Merck each disclosed they’d fallen victim to the same attack, it became clear that this not simply confined to Ukraine, and the greater sophistication of the design brought with it increased challenges for IT teams across the globe.
So why Petya/NotPetya?
After initial scans, analysts at Kaspersky Labs and Symantec believed it to be a resurgence of last year’s Petya attack, which leveraged Dropbox, fake job applications and other techniques to mask installation of malware which locked up a user’s files, with a message displayed asking for a ransom.
On closer inspection, however, there were several important differences, chief amongst which was the 2017 variant’s method of encryption. Kaspersky later issued an update and dubbed the resurgent variant #NotPetya.
Romanian cyber security firm, BitDefender, named it GoldenEye, and have seized the opportunity to take out banner ads across Google’s Display Network offering 50% off their premium antivirus product.
How does #NotPetya work?
Like many recent cyber attacks, it leverages bits of different tools to accomplish its goal. #NotPetya spreads in a number of ways, chiefly through scanning through active RAM for login details, and checks any found for admin privileges. If that doesn’t work, it can also resort to the same EternalBlue vulnerability that made WannaCry so successful.
Rather than just lock up individual files, this updated variant of Petya locks up the Master Boot Record and the file table, meaning an affected user wouldn’t ever be able to reboot their computer.
Ryan Kalember, senior VP of cyber security strategy at longtime Qatalyst client, Proofpoint, said: “This is not an experienced ransomware operator”, although conceded that “It has a better mechanism for spreading itself than WannaCry”.
Why did it hit Ukraine so hard?
Well, little-known financial tech firm, MeDoc, admitted late Tuesday that its servers had been breached and a software update released to customers on June 22 had been compromised by malicious hackers. Their accounting software is used in Ukraine by government, the public and private sector as well as across Eastern Europe, and is likely to have been the vehicle for transmission across the Atlantic. Crippled shipping giant Maersk was advertising for MeDoc specialists in the region recently.
Craig Williams, head of the Threat Intelligence Unit at Cisco, pointed out that there were a number of indicators that made it clear to him that this was more than ransomware. An attack on this scale, targeted quite precisely at Ukraine through hacking the MeDoc update server, and launched the day before the Consitution Day – an important national holiday with deep political significance – suggests serious political motivations.
What can I do..?
The answer to that question depends entirely on the stage at which the malware is detected. If you see what looks like a CHKDSK scan taking over your screen, rip out the power cord/battery straight away and boot from a USB stick/drive to reinstall Windows. Unfortunately, if you’re at a later stage than the drive scan, all hope is lost – time to check how recent your last backup was.
To protect yourself, though, the advice hasn’t changed: disable any features/open ports you don’t want/need, make sure you have auto-patch updating turned on, be very wary when opening suspicious emails and above all, make regular backups in such a way that you can restore your files quickly and easily should you need to.
My computer has been encrypted, should I pay up?
Generally, the advice of security experts is not to pay, but in this case we can categorically say it would be a total waste of money. The email address linked to the BitCoin wallet is registered with Posteo, a Berlin-based email provider, who have since taken the account down, which means there is no way for the attacker to communicate with his victims even if they pay up to release their files.
To learn more, why not sign up to relevant cyber security updates through our LinkedIn group?
Qatalyst Global is a specialist B2B events company operating globally, working in fields including cyber security, artificial intelligence, Industrial IoT, blockchain and more. Based in London, our team works closely with leading IT professionals, engineers, academics, government and select vendors to ensure our events are consistently end-user focused and driven by the requirements of the market. Join the Cyber Security for Critical Assets group on LinkedIn here.