Petya cyber attack that swept globally, and has infected enterprise networks across Europe is actually much worse than initially thought. Security researchers have now come to the conclusion that the Petya attack is not a ransomware, but a wiper instead.

The haze of massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, Airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.

When people say Petya, they usually mean 3 things:

1. The boot loader that encrypts the MFT.
2. The dropper that installs the boot loader.
3. The normal user mode ransomware, which is also known as Misha.

Difference Between Wannacry and Petya

The important difference between WannaCry and Petya is WannaCry was likely deployed onto a small number of computers and then spread rapidly, whereas Petya seem to have been deployed onto a large number of computers and spread via local network; therefore, in this instance there is low risk of new infections more than 1h after the attack (the malware shuts down the computer to encrypt it 1h after execution, by which time it will already have completed its local network scan).

As well as the use of EternalBlue, Petya can also propagate over the network using WMIC (Windows Management Instrumentation Commandline) by trying credentials gathered from the local machine using Mimikatz, this allows it to infect network systems which are patched against EternalBlue or not running SMB.

Additionally, It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running. Administrators can also shore up their defenses by using Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges.
“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

Source - 1 - http://indianexpress.com/article/technology/tech-news-technology/petya-cyberattack-this-is-a-wiper-not-ransomware-and-much-much-worse-4727038/
Source - 2 - https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia
Source - 3 - https://www.wired.com/story/petya-ransomware-wannacry-mistakes/

like this article? feel free to upvote & resteem.

follow me @nitinchugh