On June 26, a new ransomware attack began making its way across Europe. This new strain called Petya, like its predecessor known as WannaCry, is based the exploit called EternalBlue. Eternal Blue is one of a bundle of tools believed to have belonged to the NSA that was released by the Shadow Brokers hacker group earlier this year. EternalBlue takes advantage of an exploit that is inherent within the Microsoft operating system. Microsoft released a patch, (MS17-010), in March that addressed the issue for currently supported operating systems such as Windows 10. Last month they took the unprecedented step of releasing the patch for older operating systems such as XP that are no longer supported. Those who install the patch are protected against any malware variant that utilizes EternalBlue.
The Petya variant unfortunately confirms that apathy persists when it comes to cyber security. Even after the dramatic headlines of the WannaCry outbreak concerning the havoc it created, there remains an untold number of machines throughout the world still unpatched. As a result, thousands of users are falling victim to this new threat.
It also appears that some cybersecurity experts were fooled initially as to the intent of Petya. Although computers infected with the virus are informed to pay a ransom of $300 in bitcoin, latest reports indicate that profiteering and extortion may in fact not be the driving purpose of the hackers. Unlike most ransomware, which directs victims to pay up using the Tor browser, victims of Petya are told to communicate with the extortionists through an email address. As a result, some are now dubbing this latest outbreak, “NotPetya”. The real objective may in fact simply be to inflict mayhem and malicious destruction on a large scale – nothing more.
Rather than just targeting the file system for encryption, this malicious virus also encrypts the master boot record (MBR), thus preventing the user from rebooting the device. The encryption cannot be undone by the FixMBR command and repairing the MBR will not delete the infection.
Using a series of tools, the virus has the ability to gather password credentials from a computer’s memory. The virus specifically seeks out admin credentials in order to use them to infect the network at large.
This worm like behavior of this latest attack means that even users that are operating fully patched devices can still invite the malicious infection into the network, which then seeks out admin privilege rights in order to infect vulnerable machines. This means that additional measures should be taken in order to protect your network.
The issue as to whether organizations should pay the required ransom is a perpetually debated topic but in this case, the consensus is clearly NO because the email account has now been disabled. In addition, users should immediately turn off their machines using the power button if they see a CHKDSK sequence being implemented. The fabricated CHKDSK sequence is actually an emulation, which is executing the encryption process.
If you find yourself infected with the outbreak, do not feel too bad about being fooled. Plenty of high profile organizations have been infected including:
What was NotPetya ‘s lesson? The truth is you don’t have to be fooled again by ransomware attacks. The culmination of :
Are you an IT professional that wants to ensure sensitive data and devices are protected? Talk to a specialist or email us at info@titanhq.com with any questions.
Sign-up for email updates...
