Chip-Monks  ⁄  News

A New Ransomware Petya Affecting Computers Worldwide.

28 Jun, 2017
A New Ransomware Petya Affecting Computers Worldwide

Earth shakes when a big tree falls.

Users were reminded again of this maxim as analysts and researchers scrambled in a tizzy, to contain the attacks of what appears to be a new ransomware that is infecting computers worldwide.

Termed as Petya, the cyber attack is another jolt to the tech ecosystem, that is still reeling from the aftermath of the WannaCry attacks, that had affected over 300,000 computers worldwide.

Security experts are expecting the worst, as they say that no kill switch is possible right now.

The attack has chiefly hit the geographical regions of Ukraine and Russia – although the ‘kill zone’ has rapidly spread to various big firms in the western hemisphere – like the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft .
The brunt of the intrusion was felt closer home too when operations at Mumbai’s Jawaharlal Nehru Port Trust were shut down.

The ransomware locks the user out of her system and asks for a Bitcoin ransom worth USD 300 (approx. INR 19,400) – just like its predecessor WannaCry.
Although Wannacry exploited the vulnerability of the Windows operating system, namely EternalBlue, Petya locks the ‘Master Boot Records’ in the operating system which is supposedly the most important data trove of the system and contains all the information on disk partitions as well as the code that gives way for OS to be booted on the memory system.

The ransomware is also affecting the systems in other variants, although with at ‘lesser’ severity than the original.

When a system gets infected, the malware essentially encrypts the entire file system – sending the user a ransom note that warns her against switching off while rebooting. Unsuspecting victims are then asked to send the ransom to an address along with the confirmation mail of the Bitcoin transaction that is supposed to be made.

According to the Ukrainian police, the attack originated from a seeded file of the software update mechanism of an accounting program that is used by the Ukrainian Government. A second wave of phishing campaign was also used to plant the malware, forcing most of the Ukrainian public facilities to be shut down.

Even the radiation monitoring system of the infamous Chernobyl was shut down, forcing the employees to use manual methods to circumvent the problem.

Despite the severity of the attack, it is highly ambiguous at this moment to ascertain if the intent of the attacker was to gather money. Cyber experts have termed the payment method through just one email address as “amateurish”. The email ID was later shut down. According to available details, the Bitcoin wallet that was attached to the ID was only filled with ten thousand dollars, a meager sum for an attack of such ginormous proportions.

There’s another, more sinister belief that’s doing the rounds – because of its unusual focus on the Crimean peninsula, the attack is being seen as thinly veiled attempt to national sabotage. According to Comae’s Matthieu Suiche, “Pretending to be a ransomware while being, in fact, a nation-state attack,  is in our opinion a very subtle way from the attacker to control the narrative of the attack”.

The country’s prime minister acknowledged the severity of the attacks but assured that “IT experts are doing their job and protecting critical infrastructure.The attack will be repelled and the perpetrators will be tracked down”.

The details of the solutions, if any, are still incomplete. Infected users are being implored to not pay the ransom – since there is no guarantee of a fix. Also because there is no current method of decryption of the infected data, users are asked to format the drives and use backups.

Major antivirus companies such as Kaspersky are saying that the most they can do right now is to spot the malware. The fix to the problem is being worked upon, and till that time, the user must update the Windows critical patch to address the EternalBlue vulnerability, at least, so that they can keep WannaCry at bay.