Last night a new wave of ransomware attack swept the world. While the pattern was same as the earlier WannaCry ransomware attack, the symptoms of this attack were similar to a type called Petya. As of now, security researchers are torn if the ransomware is Petya or NotPetya. Several countries have been targetted by this malicious piece of code. Here are all the details.
What is ransomware?
A piece of malicious software which takes control of your system and files. Upon taking over, it applies encryption on those files and asks for money for a key that can restore the files. The ransomware often scrambles file names and changes their extension.
What is Petya?
The Petya attack originally took place in 2016. The latest attack is a variant or offspring of Petya. Security researchers have been calling it Petware, Golden eye or Not Petya.
How does it work?
The ransomware takes advantage of the same EternalBlue vulnerability as WannaCry but it has a more sophisticated code. Petya also used EternalRomance vulnerability that had been leaked by NSA. It uses an open sourced tool called Minikatz to get the network's administrator credentials. Then it spreads across the network using PsExec and WMIC tools. So, even if just one system is affected, it can compromise the whole network.
"The quality of the code improves from iteration to iteration — this GoldenEye ransomware is pretty solid," says Bogdan Botezatu, a researcher at the security firm Bitdefender told Wired. "We don't get to catch a break."
Who has been affected?
The attack started in Ukraine. The malware was injected in the government software used by several agencies in the country. Banks, airports, transportation system were affected in Ukraine. The Chernobyl plant was taken offline for safety.
Now, the malware has spread to many countries including India. Among the big name corporations being affected are Modelez (Cadbury), Saint-Gobain, and AP Moller-Maersk. At the moment, the attack seems targeted rather than widespread.
What is the safety net from the malware?
Researchers around the world are trying hard to find a kill-switch that will get rid of the ransomware. However, they have found a way to prevent the attack in a parallel research. It is to make a specific file in the Windows folder read only.
To those affected, Twitter user and security professional Hackerfantastic has suggested a way to recover their files.
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6— Hacker Fantastic (@hackerfantastic) June 27, 2017
How much money have the hackers collected?
A total of $9,070 of money has been transferred to the hackers through 36 transactions at the time of reporting.