Petya Ransomware – A New Low

After the WannaCry Ransomware affected businesses in 150 countries last month, you would think that people would have learned.  Apparently not.

The Petya ransomware doesn’t encrypt files, it encrypts the whole disk.

Unlike typical ransomware that picks selected files (like Word or Excel files), instead this ransomware replaces the Master Boot Record or MBR and forces Windows to reboot.  When Windows loads the fake MBR, it launches something that looks like CHKDSK, a Windows utility that is used to fix disk problems.  Except, in this case, what it is really doing is encrypting the Master File Table or MFT.  Unlike typical ransomware that can take a long time to encrypt files one at a time, Petya can encypt the MFT in less than a second, making the whole disk unreadable.  POOF!

Companies – big companies – in many countries have been affected:

  • WPP, the British based worldwide advertising company
  • Law firm DLA Piper
  • Danish shipping firm Maersk

And many, many others.

It appears to have started with an infected software update from an Ukraine accounting software firm according to many experts.  The firm denies that.  Time will tell.

In the mean time the infection is going viral in Ukraine, who is blaming Russia, but Russian government computers are also being infected.  In fact, Ukraine and Russia represent the largest concentration of infections.

Why do these ransomware attacks seem to gain steam in Eastern Europe and Asia.  It is not clear to me, but one possibility is that there is a lot of pirated operating system software in that part of the world and those users cannot get patches.  That is a possible explanation.

Like WannaCry, there is a way to stop the propagation, but unlike WannaCry, a file needs to be installed on each and every computer.  And it only minimizes the damage, it doesn’t eliminate it.

Now here is the bad news.  The hackers are asking for $300 in Bitcoin to unlock the computer.  It asks you to communicate with the hackers via an email address and it provides a bitcoin wallet – the same wallet for every user.

But here is the problem.  The email address used by the hacker is hosted on Posteo, a German ISP.  They have decided to cancel the user’s account for violating their terms of service.  That means that there is no way to communicate with the hackers and no way to get a decryption key.

Of course, if the hackers wanted to, they could publicize another email address anonymously.

But, maybe, they don’t want to.

If, as suspected, this is the work of Russia to destabilize Ukraine and if a little collateral damage in Russia provides cover, Russia probably figures that is OK.  If this is the case, then they don’t want people to be able to recover.

In this case, unlike some other ransomware attacks, having good backups is all you need.  Format the disk and restore from your backup and you are good to go.

So what is the moral?

Backups are still critical for recovering from many ransomware attacks and HOW LONG IT TAKES to recover is the next most important thing.  If you can restore but it takes you a week to get back to work, that is a problem.

Do you know how long it would take your company to recover from a major ransomware attack?  Important question.

Information for this post came from The Guardian, Bleeping Computer and Risk Based Security.


Leave a Reply

Your email address will not be published.