On June 27, 2017, opportunistic cybercriminals took advantage of exploits leaked by Shadow Brokers, a group that had previously released cyberweapons used by the National Security Agency. The latest exploit was a variant of Ransom: Win32/Petya that was initially seeded through the update mechanism of an accounting software program used in Ukraine. Since then, the ransomware has compromised 12,500 machines in Ukraine and spread to 64 countries across the globe. The virus exploits EternalBlue vulnerability in Microsoft Windows, encrypts data on the compromised hard drives and asks for a $300 ransom for data decryption.
A Wiper in Disguise
Experts believe the over-smart attempt to victimize unsuspecting users for financial gains has the potential to spread faster than the largest ever ransomware attack in WannaCry. In achieving this goal however, the virus is inept to the point of such uselessness that the entire ransom payment mechanism is flawed and guarantees failure to recover encrypted data despite payment.
The virus requests payment to a static Bitcoin address and a proof of payment message to the email address hosted by the company Posteo. As expected, transactions to the single hardcoded Bitcoin Address are traceable and the webmail company has already disabled the email address. Despite the large-scale impact, cybercriminals behind the attack hardly managed to receive $10,000 across 45 ransom payments.
It looks like the intent behind the attack is far more malicious and clever. Perhaps the creators never intended to decrypt the compromised data after receiving payments. While it looks like a school-boy hacker’s attempt to get rich quick, the virus has actually turned out to be something worse: a Wiper malware.
A Wiper malware is essentially a cyberweapon designed to destroy a data stored on the compromised hard disk. Whether Petya was intentionally designed as a Wiper malware is debatable, but it has certainly yielded its fair share of the fodder feeding the media frenzy toward the mysterious cybercrime actors. Previous episodes of Wiper malware had their roots entrenched in state-sponsored attacks. Notable attacks in history include the Wiper attack on Iran and Shamoon attack on Saudi Arabia, sharing its roots with the destructive Stuxnet attack.
Here’s What You Can Do About It
Petya exploits the Server Message Block (SMB) vulnerability in Microsoft Windows to spread across machines. This is the same vulnerability used to spread the WannaCry, the largest ransomware attack in history. Microsoft had already issued security patches to the address vulnerabilities, and users running updated machines remain secure from the Petya attack.
The first step to ensure protection from the Petya attack lies in running the latest stable versions of Windows OS.
Users running outdated Windows OS should meanwhile watch out for unwarranted attempts to reboot and repair system files. If that happens, you should power off your machine immediately, because it’s actually the encryption process taking place. Your files remain unencrypted until this process is completed in its entirety.
If your computer has actually been compromised, there’s no way to recover your data since the email address stated in the ransom message has been disabled. Reformat your hard drive, recover your data from the available backup and keep your software, anti-virus and OS up-to-date at all times.