NotPetya ransomware: White House joins UK in blaming Russia for NotPetya cyberattack
US government claims to be “reviewing a range of options" in response to the findings
28/06/2017: Vaccine may hinder Petya spread
Security researchers have chanced upon a workaround solution that disables the Petya ransomware that's wreaked havoc on computers around the world.
According to a blog post by IT security firm Cybereason, its principle security researcher Amit Serper discovered that creating a file named "perfc", with no extension name and placing it in the C:\windows\ folder. The file has to be read-only for the method to work.
The ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease running, according to security researchers.
Cybereason said that once the original file name was found and verified by two different sources, Serper was able to piece together a kill switch that should work for any instance of the original ransomware infection. While this does not stop the ransomware if it is already running, it will act as a vaccination, stopping it from ever trying to encrypt files.
While Petya infects PCs around the world, Kroll Ontrack believed that some data may still be salvaged from infected computers without paying a ransom.
According to Phil Bridge, managing director, Western Europe of Data & Storage Technologies at Kroll Ontrack, said that the malware does not encrypt all the files on your computer but instead attacks a part of the operating system called the Master File Table (MFT), an essential index' for the computer system to locate files on the computer.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Attacking one part of the system (the MFT) is much faster than targeting all the individual files but the result is as if each file had been locked separately," he said.
He added that there is a method to decrypt the original Petya ransomware, but one has not yet been released for the updated version. He said that "some data may still be salvaged from infected computers with the use of specialist data recovery techniques.
28/06/2017: Petya ransomware: attack hits global companies
A ransomware attack has locked down corporate computers throughout Europe and the US, a month after the NHS and other organisations were knocked offline by WannaCry.
Called Petya as well as NotPetya by some, and Goldeneye, by others has reportedly hit thousands of machines, including at advertising giant WPP, Danish transport firm AP Moller-Maersk, and Russian oil firm Rosneft, as well as at least one hospital firm in the US.
It appears to have initially infected machines via accounting software that companies use to link to the Ukrainian government, with huge swathes of that country's companies and government bodies wiped offline. While the country's Twitter feed made light of the situation, some of the shutdown was alarming including Chernobyl radiation monitoring being done by hand.
Once in, Petya then spreads via the EternalBlue vulnerability in Windows that has been patched but given the carnage, it appears not everyone has updated. That was the same exploit used by WannaCry's hackers, and was developed by the NSA but leaked in April.
"As far as the EternalBlue exploit, the worm code appears to heavily borrow from WannaCry, including taking advantage of the same EternalBlue exploit code to move around once it is inside the network," said Allan Liska, intelligence architect at Recorded Future. "In addition to the EternalBlue exploit, the new attack appears to take advantage of WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command line tool that is used to execute system management commands on Windows."
One difference with WannaCry is it lacks an apparent "kill switch" that halted May's ransomware outbreak. "Some are comparing this to WannaCry 2.0 but this version does not have the "kill-switch" that the original WannaCry did. Thus, we should not expect any oddity like that to slow this attack," said Brian Hussey, VP of cyber threat detection and response at Trustwave.
This variant demands $300 in Bitcoin payment from users of infected machines as ransom to unlock their data. However, the German email provider, Posteo, that runs the attackers' email account, has shut it down, so victims likely won't be getting their data decrypted.
To Nicholas Weaver, security researcher at the International Computer Science Institute, that suggests there may be more to Petya. "I'm willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware," Weaver told KrebsonSecurity. "The best way to put it is that Petya's payment infrastructure is a fecal theater."
Matthew Hickley, co-founder of My HackerHouse, said if your computer does force a reboot and show the following screen, turn your PC off to halt the encryption process.