Petya more vicious than WannaCry, but Singapore impact still uncertain

SingCERT warns that the latest ransomware as "more dangerous and intrusive", but its immediate impact in Singapore remains unclear for now as there have been no reports of major disruptions.
Written by Eileen Yu, Senior Contributing Editor

The latest Petya ransomware has been described to be more vicious than its predecessor, but its impact in Singapore remains largely uncertain for now as there have been no reports of major disruptions.

Singapore Computer Emergency Response Team (SingCERT) issued an advisory Wednesday warning local businesses and users that Petya, though inspired by WannaCry, was "more dangerous and intrusive".

"Its behaviour is to encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom boot-loader to display a ransom note and prevents victims from booting up," SingCERT said.

In a nutshell, Petya not only encrypts targeted files, it also locks up the entire hard drive using some of the most advanced cryptographic algorithms to gain control of the master reboot sector. It stops the computer from loading the OS, rendering it inoperable. It is also called PetrWrap and is a variant of the Petya family.

Mike Sentonas, CrowdStrike's vice president of technology strategy, explained that PetrWrap was "noteworthy" because it combined traditional ransomware behaviour with stealthy propagation techniques.

"PetrWrap has the ability to move laterally to encrypt other systems in the organisation by leveraging the same EternalBlue vulnerability that was popularised by WannaCry last month," Sentonas said. "It then uses another propagation technique that starts by stealing credentials, then uses those legitimate credentials to infect other systems on the network via built-in Microsoft tools--WMI and PSEXEC--even if a machine has been patched."

SingCERT added that the ransomware spread via email masquerading in Microsoft Office documents, which would run the Petya installer when opened and execute the SMB worm. It said various versions of Microsoft Windows were thought to be vulnerable, including Windows 10, Windows 8.1, and Windows Server 2016.

SingCERT's advisory echoed that of data protection and cybersecurity vendors, including Acronis which said banks, MNCs, and critical infrastructure owners in Singapore would be primary targets of the ransomware. When asked, however, it said it was unaware of any local organisation that had been affected by Petya.

Eugene Aseev, Acronis' head of research and development in Singapore, explained: "The Petya ransomware is more dangerous than Wannacry primarily because it infects to patched-up systems, whereas WannaCry targeted un-patched systems.

"Petya also impacts the MBR, which means the computer is compromised even before Windows can be loaded. It also attempts to steal the user's credentials from the infected machines and uses these credentials to further infect other machines that share similar credentials," Aseev said.

He said companies affected by the ransomware would be able to restore their systems if they had an image-level backup, but would need to reinstall their OSes if they only had file-level backup to retrieve their files. And because they would lose their configuration and software settings, their recovery time would be longer, he added.

Sentonas said there currently was no mechanism to decrypt files that had been encrypted by the ransomware. "If an endpoint is encrypted, the only fix at the moment is to wipe and rebuild the machine and restore data on the device," he said.

Aamir Lakhani, Fortinet's senior security strategist, said it also would initiate a system reboot on a one-hour cycle, which added a denial-of-service (DoS) element to the attack. And while WannaCry was not particularly successful in generating a financial payoff for the hackers, partly due to the kill-switch created for it, Lakhani noted that Petya's payload would be "more sophisticated". He added, though, that it was still too premature to say if it would be more financially lucrative than WannaCry.

According to Ryan Flores, Trend Micro's Asia-Pacific senior manager of forward-looking threat research, some US$7,500 had been paid into the Bitcoin address used by the attackers.

Flores urged those affected not to fork out the ransom, adding that several organisations in Europe and Asia had been affected by the ransomware.

Production at Cadbury's famous chocolate factory in Tasmania, Australia, was forced to a stop late Tuesday after the company was hit by Petya. The site was owned by Spanish food operator, Mondelez, and produced some 50,000 tonnes of chocolate annually.

Global organisations reportedly affected by the ransomware included the National Bank of Ukraine, British advertising agency WPP, Danish transport company Maersk, and US pharmaceutical company Merck.

Naveen Bhat, Ixia's Asia-Pacific managing director, noted that while it was not aware of any companies in Singapore hit by Petya, it would be "a safe assumption that machines have been affected in Singapore although none have been reported so far". "Petya does not know national boundaries. Firms that have not upgraded the latest Windows patches are vulnerable," Bhat said.

Editorial standards