A new ransomware exploit dubbed "Petya" struck major companies and infrastructure sites this week, following last month's WannaCry ransomware attack, which wreaked havoc on more than 300,000 computers across the globe.
Petya is believed to be linked to the same set of hacking tools as WannaCry.Petya already has taken thousands of computers hostage, impacting companies and installations ranging from Ukraine to the U.S. to India.
It has led to the shutdown of radiation monitoring systems at the Chernobyl nuclear facility.Europol, the international law enforcement agency, could not provide operational details on the attack, spokesperson Tine Hollevoet told the E-Commerce Times, but it was trying to "get a full picture of the attack" from its industry and law enforcement partners.Petya "is a demonstration of how cybercrime evolves at scale and, once again, a reminder to business of the importance of taking responsible cybersecurity measures," Europol Executive Director Rob Wainwright said in a Wednesday update.Unlike Wannacry, the Petya attack does not include any type of 'kill switch,' according to Europol.Variant CharacteristicsThe U.S. Computer Emergency Readiness Team on Tuesday began fielding numerous reports about the Petya ransomware infecting computers around the world, and noted that this particular variant encrypts the master boot records of Windows computers and exploits vulnerabilities in the Server Message Block.The RANSOM_PETYA.SMA variant uses as infection vectors both the EternalBlue exploit, which was used in the WannaCry attack, and the PsExec tool, which is a Microsoft utility used to run processes using remote access, according to Trend Micro.Users should apply the MS17-010 security patch, disable TCP port 445 as explained in this commercial product video, and restrict accounts with administrator group access, the firm recommended.The Petya variant uses the rundll32.exe process to run itself, and encryption is carried out using perfc.dat, a file located in the Windows folder, Trend Micro said.
The ransomware adds a scheduled task and reboots the computer system after one hour.
The Master Boot record is modified, allowing encryption to take place, and a ransom note is displayed with a fake CHKDSK notice.The Petya exploit uses a hardcoded bitcoin address, making decryption more labor-intensive than it was during the WannaCry attack.
However, that number could change as the attacks spread.Many companies failed to upgrade their computer systems properly following the WannaCry attack, said Gaurav Kumar, CTO at RedLock.WannaCry exploited legacy Windows systems that had not been patched, even though Microsoft issued an update in March, he told the E-Commerce Times.Governments should mount coordinated efforts to fight cyberattacks, according to Access Now, an advocate for digital rights and privacy.The Petya attack's use of the EternalBlue exploit shows that government agencies should not be stockpiling vulnerabilities, the group argued, as the exploit has been linked to the Shadow Brokers' leak of an exploit created by the National Security Agency.