Petya Ransomware 101

WHAT IS IT?

According to Krebs on Security, Petya uses

the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.

WHO IS AFFECTED?

As the CNET video outlines, Petya has spread throughout the world beginning in Ukraine. Notable targets include

the Chernobyl nuclear facility;
advertising giant WPP;
U.S. law firm DLA Piper;
Pittsburg’s Heritage Valley Health Systems;
MERCK & Co.;
candy giant MARS, Inc.; and
India’s largest container port.

WHAT IS THE RANSOM?

The hackers are demanding $300 in Bitcoin payable to a set email address, which has now been shut down.

Do not pay the ransom. There are reports that people have paid and not have their files released. Plus, you may be able to simply shut down to prevent its operation (see below).

If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6

— Hacker Fantastic (@hackerfantastic) June 27, 2017

STAYING SAFE

The most important steps you can take to protect yourself from this malware are:

Make sure your Windows operating system is up-to-date and download and install Microsoft patches.
Backup your computer files so they can be restored if you are attacked.
Install malware protection programs.
Be smart and do not click on unknown links.
Be careful using public Wi-Fi, make sure to check your security settings on public networks to ensure you are not viewable.

Bleeping Computer reports there is a “vaccine” to Petya. Since Petya activates itself from a file named “perfc”, creating a read-only version of this file blocks it from executing.

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.

This batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat

MORE ABOUT MALWARE

UPDATE – IT MAY BE A STATE ACTOR ATTACK

Some InfoSec professionals are concluding that this really may not be a ransomware attack because of the fact that:

the attack seemed targeted at Ukraine (where more than 60 percent of the infections occurred);
Petya was incapable of decrypting the infected machines (i.e., it could not deliver the files back if paid); and
the payment method was “bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines“.

As Verge reports:

Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “ is in our opinion a very subtle way from the attacker to control the narrative of the attack.”