Petya ransomware variant strikes on a global scale

Firms across the globe have been hit by a variant of the Petya or Petwrap strain of ransomware impacting Windows servers, PCs, and laptops. Initial reports suggest this latest attack struck The Ukraine initially but it has quickly spread to many other countries including Russia, Spain, France, the UK, The Netherlands, and the US. Currently the attackers are asking for $300 worth of Bitcoins to retrieve access to data.

So far, many high-profile organizations across the globe have been impacted and national infrastructure in the Ukraine has also been badly affected including the state power utility, Kiev’s airport, and metro system. The attack, at this stage, appears to be smaller in scale than the WannaCry outbreak back in May, but we’ll be monitoring its scale and impact over the coming hours and days. At the time of writing, Kaspersky estimated around 2,000 users had been affected.

So what do we know about Petya?

Though this is suspected to be a variant of Petya, this form of ransomware isn’t a new phenomenon and has been around for a few years. What we know is that Petya is incredibly quick to spread and acts slightly differently to more traditional forms of ransomware. Rather than encrypting files one by one, Petya encrypts the location containing sensitive data, preventing access to those parts of the network.

The usual entry point for Petya is through an email containing a Dropbox URL or an attachment and the executable usually differs from one dropper to another. In the examination of previous instances of Petya it’s also common to see this type of ransomware specifically targeting admin accounts to propagate across the corporate network. In order for Petya to execute it needs to run with admin privileges.

This current Petya attack appears to be using the same EternalBlue exploit as WannaCry. EternalBlue was leaked by the Shadow Brokers hacker group in April and was developed by the US National Security Agency.

Could it have been avoided?

The short answer is yes. In the immediate aftermath of the WannaCry attack, it became clear that many organizations had failed to regularly update and patch their systems, with many relying on antiquated operating systems to keep the business running. While we’ve only just begun to understand how this latest attack operates, I’d suspect that some of those organizations impacted had dropped the ball when it came to basic security hygiene.

We also know from previous Petya attacks that it depends on victims executing the malware with administrator rights on Windows in order to have file system level access. Without admin rights it will fail, underlining once again the importance of adopting a least privilege approach to security.

It’s critical that businesses implement this security best practice, including regular patching, application control and removing admin rights. In our testing, we found that these simple measures prevented the majority of cyber attacks.

Who is to blame?

Speculation as to who is behind this attack will now begin and the obvious finger pointing will focus on nation states. North Korea has been heavily linked with last month’s WannaCry attack. However, this attack could just as easily originate from a sophisticated organized crime unit. You don’t need to be technical or have the resources of a nation state to write this type of malware, there are novices doing this using toolkits readily available on the Dark Web.

As more information on this latest Petya attack becomes available, we’ll be providing more insight and analysis on the Avecto blog page. For more information on ransomware attacks and ways to mitigate against them, visit www.avecto.com