It is in progress the new massive wave of ransomware attacks which has caused chaos in airports, banks, businesses and many other governmental and non-governmental organizations across Europe. The reason for Petya (or NotPetya), a new form of ransomware that uses EternalBlue to penetrate Windows computers, similarly to WannaCry.
The main difference?
WannaCry, it was disastrous, but it was a tool full of bugs created by amateurs. Petya, according to experts, is not an amateur tool but a powerful ransomware that can infect any version of Windows, including Windows 10.
Let's see how it is spreading and how the destructive Ransomware works.
According to Kaspersky's security team, ransomware is based on a customized tool named «A to Minikatz» for its dissemination. This extracts the credentials needed for the spread, from process lsass.exe. Lsass or Local Security Authority Subsystem Service is one of the most critical files in the Windows system.
"Malware uses a variety of tools to spread across a network, infecting computers in the process. It uses a tweaked build of the Minikatz open source tool to extract the network administrator credentials from the machine's memory. It then uses these access elements to connect and execute commands to other machines by using them PsExec and WMIC to infect them. "
The attack is believed to have started through a susceptible information of the Ukrainian MeDoc software, which is used by many governmental organizations in the country. According to reports, this is the reason why Ukraine was hit more than all other countries.
Kaspersky reports that over 60 percent of the attacks took place in Ukraine and Russia is the second on the list with 30 percent. And these are just the initial findings of the company's ongoing research.
How does Petya work?
Once malware infects a computer, it stays idle for about an hour and then restarts the system. After the reboot, the files are encrypted and the victims receive an ransom note on their computer. During the reboot process, victims are warned not to end the system because they may lose their files.
How many ransom have so far been paid?
As we have already mentioned, ransom payments are made to Bitcoins, and all transactions made in the attacker's wallet ID are shown in the following link:
So far 42 payments have been made, about 4 BTC (~ $ 10.000).
Petya or NotPetya;
Symantec, as well as several other security companies and analysts, believe that new ransomware belongs to the Petya family. "Petya" ransomware was first detected in 2016, according to Symantec researchers.
"Petya is from 2016. It differs from standard ransomware because it does not only encrypt files, but it replaces and encrypts the master boot record (MBR), "the company said.
However, Kaspersky Lab appears to disagree with this approach, noting that it is a new form of ransomware that belongs to its own classification and appears for the first time, calling Ransomware as "NotPetya".
In any case, one is the only one: Petya or NotPetya is still intact, and this time there does not seem to be a Switch kill to stop his frantic course. All that remains is to see how all this will develop.