Security researchers state that the new ransomware is unlike last year’s Petya ransomware, though it does behave like Petya. This is one of the reasons why it being called ‘NotPetya’, ‘Petrwrap’, ‘exPetr’ or ‘Nyetya’.
Cisco believes that this ransomware leverages EnternalBlue and WMI (Windows Management Instrumentation) for lateral movement inside an affected network, which means that it taps the same vulnerability used by WannaCryptor.
Having said that, its behavior is unlike the WannaCryptor as there is no external scanning component. However the company claims that it’s WannaCryptor’s ‘bad’ cousin and the initial vector identification has shown the ransomware to be more defiant.
According to several media reports the new cyber attack started affecting companies and institutions beginning with Russia and Ukraine on Tuesday and is now spreading to Asia and Australia. According to a TOI report, one of three terminals of Jawaharlal Nehru port, has been the victim of the latest attack.
The affected terminal is operated by AP Moller-Maersk, a Danish shipping giant, which claimed that the attack had impacted its computer systems globally. The attack has also affected Ukrainian and Russian largest oil company, banks and multinational firms.
“Detected by ESET as Win32/Diskcoder.C Trojan, this ransomware is likely to be related to the Petya family and could encrypt the whole drive itself of infected users. For spreading, it appears to be using a combination of the EternalBlue exploit used by WannaCryptor for getting inside the network, then spreading through PsExec within the network,” says Nick FitzGerald, Senior Research Fellow, ESET.
“This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched. It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
FitzGerald states that paying is no longer possible as the email to send the Bitcoin wallet ID and “personal installation key” has been shut down by the provider. Thus, people shouldn’t pay for the ransom as they will not be able to receive the decryption key.
“This new outbreak is proof that businesses can no longer ignore the consequences of not securing their networks, as hackers have shown the ability to shut down critical infrastructure and cripple government networks. In order to prevent this kind of threat, we recommend that businesses ensure that their systems are fully patched, proper security solutions are used and to set up network segmentation, which might help prevent spreading within the network,” he adds.
According to Kaspersky Labs’ initial research, the attack seemed to have affected over 2,000 systems. It uses custom tools that extract credentials, which are passed for distribution inside a network. The Malware waits for 10-60 minutes after the infection to reboot the system. Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.
Kaspersky Labs Global Research and Analysis Team state that the criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net”, thus confirming the transactions.
The team claims that this email account has already been shut down, effectively making the full chain decryption for existing victims impossible at this time. At the time of writing, the Bitcoin wallet achieved 24 transactions totalling BTC 2.54 or $6,000 approx.
Gary Davis, Chief Consumer Security Evangelist, McAfee, in an official blog says “The cyber threat goes after Windows servers, PCs, and laptops, this cyberattack appears to be an “updated variant” of the Petya malware virus.
“It uses the SMB (Server Message Block) vulnerability that WannaCry did, however in the case of Petya it encrypts, among other files, your master boot file. These messages recommend you conduct a system reboot, after which the system is inaccessible. This basically means the operating system won’t be able to locate files.”
Apart from AP Moller-Maersk and JNPT other global companies such as Russian oil major ROSNEFT, WPP, Ukrainian Power Grid and international airport, glass manufacturer Saint Gobain, German Metro, candy manufacturer Mars and Reckitt Benckiser, among others have claimed to have hit by the cyber attack.
