It is in progress the new massive wave of ransomware attacks which has caused chaos in airports, banks, businesses and many other governmental and non-governmental organizations across Europe. The reason for Petya (or NotPetya), a new form of ransomware that uses EternalBlue to penetrate Windows computers, similarly to WannaCry.
The main difference?
WannaCry, it was disastrous, but it was a tool full of bugs created by amateurs. Petya, according to experts, is not an amateur tool but a powerful ransomware that can infect any version of Windows, including Windows 10.
Let's see how it is spreading and how the destructive Ransomware works.
According to Kaspersky's security team, ransomware is based on a customized tool named "A la Minikatz" for its dissemination. This extracts the credentials needed for the spread, from process lsass.exe. Lsass or Local Security Authority Subsystem Service is one of the most critical files in the Windows system.
“Malware uses a plethora of tools to spread to a network, infecting computers along the way. It uses a tweaked build of the Minikatz open source tool to extract network administrator credentials from machine memory. It then uses these access points to connect to and execute commands on other machines using PsExec and WMIC to infect them. ”
The attack is believed to have started through a susceptible information of the Ukrainian MeDoc software, which is used by many governmental organizations in the country. According to reports, this is the reason why Ukraine was hit more than all other countries.
Kaspersky reports that over 60 percent of the attacks took place in Ukraine and Russia is the second on the list with 30 percent. And these are just the initial findings of the company's ongoing research.
How does Petya work?
Once malware infects a computer, it stays idle for about an hour and then restarts the system. After the reboot, the files are encrypted and the victims receive an ransom note on their computer. During the reboot process, victims are warned not to end the system because they may lose their files.
How many ransom have so far been paid?
As we have already mentioned, ransom payments are made to Bitcoins, and all transactions made in the attacker's wallet ID are shown in the following link:
So far 42 payments have been made, about 4 BTC (~ $ 10.000).
Petya or NotPetya;
Symantec, as well as several other companies and security analysts, estimate that the new ransomware belongs to the Petya family. The ransomware "Petya" was first detected on 2016, according to Symantec researchers.
“Petya exists from 2016. It differs from standard ransomware as it not only encrypts files but replaces and encrypts the master boot record (MBR), ”the company said.
However, Kaspersky Lab seems to disagree with this approach, pointing out that it is a new form of ransomware that belongs to its own classification and appears for the first time, calling Ransomware "NotPetya".
In any case, one is the only one: Petya or NotPetya is still intact, and this time there does not seem to be a Switch kill to stop his frantic course. All that remains is to see how all this will develop.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.