Petya ransomware attack: What it is, and why this is happening again

Just six weeks on from WannaCry, the world has fallen victim to another fast-spreading ransomware in the form of Petya/GoldenEye. Why haven't lessons been learned?
Written by Danny Palmer, Senior Writer

Another month, another global ransomware attack. Just as it seemed that the threat of WannaCry has dissipated, organisations around the world are finding themselves under siege from a new threat.

This cyberattack first hit targets in Ukraine, including its central bank, main international airport and even the Chernobyl nuclear facility before quickly spreading around the globe, infecting organisations across Europe, North America and even Australia. A day after the incident began, at least 2,000 attacks have been recored across at least 64 countries.

Early indications suggest that this outbreak is down to a modified version of Petya ransomware, combining elements of GoldenEye and WannaCry ransomware into something extremely potent.

It joins the vicious nature of GoldenEye -- not just encrypting files but whole hard drives, thus rendering whole networks useless -- together with the same EternalBlue Windows flaw which provided WannaCry with the worm-like features it used to hit 300,000 computers around the world.

The exploit was developed by the NSA before before being leaked by the Shadow Brokers hacking collective and, despite Microsoft issuing a patch, the extent of new ransomware attacks appears to suggest that many systems are still very vulnerable to the threat.

Law enforcement agencies and cybersecurity firms across the world are investigating the attack - and researchers have offered a temporary method of 'vaccinating' against it - but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple 'lateral movement' techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

Researchers have suggested that phishing emails and watering hole attacks are being used to spread the malware, while analysis by Talos Intelligence suggests ""it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc."

However, the company has denied the claim, despite previously seemingly admitting their server was infected with a virus - in a now deleted post.

But there's one key why many organisations - especially those in the industrial or transport sectors - are falling victim to this outbreak - because they aren't patching their systems.

In some cases, it's just not possible to update certain bespoke machines, but in many others, falling to the attacks is likely to have come from simply not applying security updates designed to protect against the leaked EternalBlue SMB flaw.

Too many organisations are running systems which, for whatever reason, be it logistical or financial, just haven't patched and so they're now finding themselves at risk of ransomware.

See also: Create a single file to protect yourself from the latest ransomware attack|
Ransomware: An executive guide to one of the biggest menaces on the web

"This seems to be hitting large industrial companies, like Maersk shipping company and Rosneft oil company. These organisations typically have a challenge patching all of their machines because so many systems cannot have down time. Airports also have this challenge," said Chris Wysopal, co-founder and CTO at Veracode

It's far from clear who is behind the attack and in this instance, the email address registered for transferring Bitcoin ransoms to has already been disabled by the host company, meaning that those behind it can't cash in.

But some speculate that the attackers are more interested in causing damage than making money - especially now the worm is out of the box, it's going to continue spreading until it can somehow be stopped.

"There is mounting evidence that the #GoldenEye/#Petya ransomware campaign might not have targeted financial gains but rather data destruction," said Bogdan Botezatu, senior e-threat analyst at Bitdefender.

He cites the selection of a regular email service provider as a payment channel, a lack of an automated payment system and a "total lack of usability" in the payment confirmation in that the user has to type an extremely long "personal installation key" which it'd be easily to make errors in entering.

But even general advice on not paying the ransom hasn't got through to all the victims - even after the related email account got shut down - with just over 40 victims having given in and paid the ransom, even though there's no way for them to actually regain access to their data in this way.

Which in of itself provides a microcosm for why ransomware works - in many instances, victims feel as if they've got no option but to pay so hand over ransoms, further emboldening attackers.

The worry is, if this new form of ransomware is so much more effective than WannaCry after only a few weeks - how bad could it get in future?

"We believe that today's events are part of the natural evolution of ransomware technology, but also a test-run for a much bigger and bolder attack in the future," said Steve Grobman CTO at McAfee.

For now, there are two things that can be done in an effort to minimise the impact of falling victim to ransomware. The first is to ensure all your operating systems and software are patched and up to date, the second is to be cautious regarding links and attachments within emails - two of the main attack vectors for initially spreading ransomware attacks.


Editorial standards