Petya ransomware: Ukraine blames Russian security forces for Petya ransomware attack

ITPRO, By Zach Marzouk and Nicole Kobie, 3 July 2017

The country claims to have proof that the Russian security services were involved in the cyber attack

Ukraine claimed that the Russian security services were behind the Petya cyber attack which affected businesses worldwide last week.

Ukraine’s security service, the SBU, has linked Petya to the December 2016 cyber attack in Ukraine where the power grid was downed and affected roughly 700,000 homes. The SBU has obtained data from various international anti-virus companies which links the two attacks.

The security service also stated that the attack was designed to creat the impression of a ransomware virus, but was an attack specifically targeted at Ukraine. The SBU said: “In fact, the virus is a cover of [a] large-scale attack, oriented against Ukraine.”

It said the main target of the virus was to destroy important data and create disorder in Ukraine in order to spread panic.

According to Reuters, various cyber security researchers have suggested Moscow was not behind the attack as some major Russian firms were affected by the ransomware. Moscow has also denied any involvement, which a Kremlin spokesperson dismissed as “unfounded blanket accusations”.The cyberattack, which has various names including Petya and NotPetya, locked down corporate computers in Europe and the US last week. It demanded $300 in Bitcoin payment for a user to unlock their files, but the attackers’ email account was shut down meaning victims probably won’t get their data decrypted. A number of experts have said that the attack was deliberately malicious and spread fast to cause damage using the cover of ransomware.

28/06/2017: Vaccine may hinder Petya spread

Security researchers have chanced upon a workaround solution that disables the Petya ransomware that’s wreaked havoc on computers around the world.

According to a blog post by IT security firm Cybereason, its principle security researcher Amit Serper discovered that creating a file named “perfc”, with no extension name and placing it in the C:\windows\ folder. The file has to be read-only for the method to work.

The ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease running, according to security researchers.

Cybereason said that once the original file name was found and verified by two different sources, Serper was able to piece together a kill switch that should work for any instance of the original ransomware infection. While this does not stop the ransomware if it is already running, it will act as a vaccination, stopping it from ever trying to encrypt files.

While Petya infects PCs around the world, Kroll Ontrack believed that some data may still be salvaged from infected computers without paying a ransom.

According to Phil Bridge, managing director, Western Europe of Data & Storage Technologies at Kroll Ontrack, said that the malware does not encrypt all the files on your computer but instead attacks a part of the operating system called the Master File Table (MFT), an essential ‘ index’ for the computer system to locate files on the computer.

“Attacking one part of the system (the MFT) is much faster than targeting all the individual files but the result is as if each file had been locked separately,” he said.

He added that there is a method to decrypt the original Petya ransomware, but one has not yet been released for the updated version. He said that “some data may still be salvaged from infected computers with the use of specialist data recovery techniques.”

28/06/2017: Petya ransomware: attack hits global companies

A ransomware attack has locked down corporate computers throughout Europe and the US, a month after the NHS and other organisations were knocked offline by WannaCry.

Called Petya — as well as NotPetya by some, and Goldeneye, by others —  has reportedly hit thousands of machines, including at advertising giant WPP,  Danish transport firm AP Moller-Maersk, and Russian oil firm Rosneft, as well as at least one hospital firm in the US.

It appears to have initially infected machines via accounting software that companies use to link to the Ukrainian government, with huge swathes of that country’s companies and government bodies wiped offline. While the country’s Twitter feed made light of the situation, some of the shutdown was alarming — including Chernobyl radiation monitoring being done by hand.

Once in, Petya then spreads via the EternalBlue vulnerability in Windows that has been patched — but given the carnage, it appears not everyone has updated. That was the same exploit used by WannaCry’s hackers, and was developed by the NSA but leaked in April.

“As far as the EternalBlue exploit, the worm code appears to heavily borrow from WannaCry, including taking advantage of the same EternalBlue exploit code to move around once it is inside the network,” said Allan Liska, intelligence architect at Recorded Future. “In addition to the EternalBlue exploit, the new attack appears to take advantage of WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command line tool that is used to execute system management commands on Windows.”

One difference with WannaCry is it lacks an apparent “kill switch” that halted May’s ransomware outbreak. “Some are comparing this to WannaCry 2.0 but this version does not have the “kill-switch” that the original WannaCry did. Thus, we should not expect any oddity like that to slow this attack,” said Brian Hussey, VP of cyber threat detection and response at Trustwave.

This variant demands $300 in Bitcoin payment from users of infected machines as ransom to unlock their data. However, the German email provider, Posteo, that runs the attackers’ email account, has shut it down, so victims likely won’t be getting their data decrypted.

To Nicholas Weaver, security researcher at the International Computer Science Institute, that suggests there may be more to Petya. “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver told KrebsonSecurity. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

Matthew Hickley, co-founder of My HackerHouse, said if your computer does force a reboot and show the following screen, turn your PC off to halt the encryption process.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s