Petya Ransomware Attack: How and Who is Infected; How to Stop it

Prayank

A new ransomware attack which uses a modified version of the EternalBlue vulnerability exploited in the WannaCry attacks emerged on Tuesday and has already hit more than 2000 PCs worldwide in Spain, France, Ukraine, Russia and other countries.

The attack has primarily targeted businesses in these countries while a hospital in Pittsburg, USA has also been hit. The victims of the attack include Central Bank, Railways, Ukrtelecom (Ukraine), Rosnett (Russia), WPP (UK) and DLA Piper (USA), among others.

While the highest number of infections have been found in Ukraine, the second highest in Russia, followed by Poland, Italy and Germany. The bitcoin account accepting payments had completed more than 24 transactions before it was shut down.

Although the attack isn’t targeted towards businesses in India, it did target shipping giant AP Moller-Maersk and the Jawaharlal Nehru Port is under threat as the company operates the Gateway Terminals at the port.

How Does the Petya Ransomware Spread?

The ransomware uses a similar exploit used in the large scale WannaCry ransomware attacks earlier this month which targeted machines running on outdated versions of Windows, with a little modification.

The vulnerability can be exploited via a remote code execution on PCs running Windows XP to Windows 2008 systems.

The ransomware infects the PC and reboots it using system tools. Upon rebooting, it encrypts the MFT table in NTFS partitions and overwrites the MBR with a customised loader displaying the ransom note.

According to Kaspersky Labs, “To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.”

What Happens After a PC is Infected?

After Petya infects a PC, the user loses access to the machine which displays a black screen with red text on it that reads as follows:

“If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste our time. Nobody can recover your files without our decryption service.”

And there are instructions regarding the payment of $300 in Bitcoins and a way to enter the decryption key and retrieve the files.

How to Stay Safe?

Currently, there is no concrete way to decrypt the files held hostage by the Petya ransomware since it uses a solid encryption key.

But security website Bleeping Computer believes that creating a read-only file named ‘perfc’ and placing it in the Windows folder in C drive can help stop the attack.

It is also important that people, who still haven’t, immediately download and install the Microsoft patch for older Windows operating systems that terminates the vulnerability exploited by EternalBlue. This will help safeguard them against an attack by a similar malware strain such as Petya.


While the number and magnitude of ransomware attacks is increasing with each passing day, it’s suggested that the risk of new infections decreases considerably after the first few hours of the attack.

And in the case of Petya, analysts predict that the code shows it won’t spread beyond the network. No one has been able to make out who is responsible for this attack yet.

Security researchers still haven’t found a way to decrypt systems infected by the Petya ransomware and since even the hackers cannot be contacted now, everyone affected will remain so for the time being.

Also See
#malware#ransomware

Join the newsletter

Prayank

Written By

Prayank

Bike enthusiast, traveller, ManUtd follower, army brat, word-smith; Delhi University, Asian College of Journalism, Cardiff University alumnus; a journalist breathing tech these days.