Petya Attack Breakdown and Vaccine

Experts ExchangeThe Original Technology Community.
The original technology community.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.

The Infection

Beginning initially in Ukraine, the new ransomware called Petya, NotPetya, or PetrWrap, hit critical services throughout the country. This ransomware attack infected government computers, companies, and banks, causing Kiev’s ATMs to stop working. Rozenko Pavlo, Ukraine’s prime minister, tweeted a photo of his ransomed screen on June 27.

While the initial spread’s cause is still under debate, sources—including Microsoft in their latest blog—are pointing toward the automatic update feature on MeDoc, a popular Ukrainian Accounting software, as the cause of the initial infection. On June 28, Costin Raiu, the chief risk officer (CRO) of Kaspersky Labs, tweeted that this attack could have also started from a hack on the Ukrainian City of Bahmut’s website. After the hack, the website was used to infect Ukrainian devices with malware.

According to a tweet (made with a meme on Ukraine’s official account), the country is handling the attack and there is “no need to panic”. However, now that the attack is globally affecting tens of thousands of devices, there’s a renewed sense of urgency in securing personal and corporate devices from this threat.

The Spread

Petya spreads through the Server Message Block (SMB) over the local network, such as Windows Management Instrumentation Commandline (WMIC). When infecting devices on WMIC, the virus retrieves the credentials using Mimikatz. McAfee notes that through this method, Petya can infect devices patched against EternalBlue—or those not using SMB.

The main difference between Petya and WannaCry is Petya's infection rate has, upon initial glance, reached a higher number. The ransomware within it easily infects many devices and spreads through local networks. Though WannaCry spread faster, its deployment landed among a smaller initial group of users and facilities.

You can track the real-time BitCoin payments made to Petya on @petya_payments.

How to Avoid Payment

If your device shows the reboot message below—your device is infected.

It was previously believed that the encryption of files did not begin until the reboot was finished one hour after the infection. However, it was discovered that this Petya ransomware begins encrypting up to 1 MB of the below file types upon the initial infection:

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

Once the reboot is finished and the encryption begins, this ransom message, shown below, will appear and a $300 Bitcoin payment will be requested in order to regain access to your files. However, it appears the virus authors never intended to provide any way to decrypt the affected files. Not simply because the only payment email address has been shut down by Posteo within hours of the virus being reported, but further analysis shows that the malware actually delivers irreversible damage to the drive.

The Current Vaccine

The press is claiming a “kill switch” has been found, however, so far only a vaccine for this attack has been proven to work. The current vaccine modifies files on your own device, similar to most malware-attack vaccinations. A “kill switch” is handled remotely, as Marcus Hutchins, the man who discovered the WannaCry kill switch, has said.

As krakatoa, an Java/Programming expert on Experts Exchange explains, the current vaccine involves creating a file called perfc in the C://Windows folder and making it read only. Creating this file also creates two additional vaccination files, perfc.dat and perfc.dll. For thoroughness, it is advised to leave both of these additions.

Many anti-virus companies have taken recent steps to assure protection against Petya. Drew Frey, Community and Advocate Manager at Webroot, assured us that they were among these companies. “Our proprietary threat database is protecting and blocking variances of this threat. Additionally, our threat researchers have unpacked the specific malware to better understand its behaviors to continue to protect our customers from threats like this. We are updating our threat blog as we find additional information.”

The WannaCry and Petya attacks have been reminders of the need for security. Stay tuned for more updates and security best practices as Experts Exchange shares an exclusive interview with Marcus Hutchins on WannaCry, tech communities, and his background.

Experts ExchangeThe Original Technology Community.
The original technology community.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.