<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Petya Attack Breakdown and Vaccine

Published on
4,657 Points
1,057 Views
6 Endorsements
Last Modified:
Experts Exchange
We connect you with people and information to solve problems, inspire learning and influence the future of technology.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.

The Infection


Beginning initially in Ukraine, the new ransomware called Petya, NotPetya, or PetrWrap, hit critical services throughout the country. This ransomware attack infected government computers, companies, and banks, causing Kiev’s ATMs to stop working. Rozenko Pavlo, Ukraine’s prime minister, tweeted a photo of his ransomed screen on June 27.



While the initial spread’s cause is still under debate, sources—including Microsoft in their latest blog—are pointing toward the automatic update feature on MeDoc, a popular Ukrainian Accounting software, as the cause of the initial infection. On June 28, Costin Raiu, the chief risk officer (CRO) of Kaspersky Labs, tweeted that this attack could have also started from a hack on the Ukrainian City of Bahmut’s website. After the hack, the website was used to infect Ukrainian devices with malware.



According to a tweet (made with a meme on Ukraine’s official account), the country is handling the attack and there is “no need to panic”. However, now that the attack is globally affecting tens of thousands of devices, there’s a renewed sense of urgency in securing personal and corporate devices from this threat.


The Spread


Petya spreads through the Server Message Block (SMB) over the local network, such as Windows Management Instrumentation Commandline (WMIC). When infecting devices on WMIC, the virus retrieves the credentials using Mimikatz. McAfee notes that through this method, Petya can infect devices patched against EternalBlue—or those not using SMB.


The main difference between Petya and WannaCry is Petya's infection rate has, upon initial glance, reached a higher number. The ransomware within it easily infects many devices and spreads through local networks. Though WannaCry spread faster, its deployment landed among a smaller initial group of users and facilities.


You can track the real-time BitCoin payments made to Petya on @petya_payments.


How to Avoid Payment


If your device shows the reboot message below—your device is infected.



It was previously believed that the encryption of files did not begin until the reboot was finished one hour after the infection. However, it was discovered that this Petya ransomware begins encrypting up to 1 MB of the below file types upon the initial infection:


.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip


Once the reboot is finished and the encryption begins, this ransom message, shown below, will appear and a $300 Bitcoin payment will be requested in order to regain access to your files. However, it appears the virus authors never intended to provide any way to decrypt the affected files. Not simply because the only payment email address has been shut down by Posteo within hours of the virus being reported, but further analysis shows that the malware actually delivers irreversible damage to the drive.



The Current Vaccine


The press is claiming a “kill switch” has been found, however, so far only a vaccine for this attack has been proven to work. The current vaccine modifies files on your own device, similar to most malware-attack vaccinations. A “kill switch” is handled remotely, as Marcus Hutchins, the man who discovered the WannaCry kill switch, has said.



As krakatoa, an Java/Programming expert on Experts Exchange explains, the current vaccine involves creating a file called perfc in the C://Windows folder and making it read only. Creating this file also creates two additional vaccination files, perfc.dat and perfc.dll. For thoroughness, it is advised to leave both of these additions.


Many anti-virus companies have taken recent steps to assure protection against Petya. Drew Frey, Community and Advocate Manager at Webroot, assured us that they were among these companies. “Our proprietary threat database is protecting and blocking variances of this threat. Additionally, our threat researchers have unpacked the specific malware to better understand its behaviors to continue to protect our customers from threats like this. We are updating our threat blog as we find additional information.”


The WannaCry and Petya attacks have been reminders of the need for security. Stay tuned for more updates and security best practices as Experts Exchange shares an exclusive interview with Marcus Hutchins on WannaCry, tech communities, and his background.


6
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 7

Expert Comment

by:Nicholas
1

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Join & Write a Comment

With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month