An outbreak of a particularly nasty ransomware family is making its way across the globe. And while the current outbreak has similarities with last month’s WannaCry epidemic, security researchers warn that the current campaign is much more professional, and potentially much worse for companies.
F-Secure Labs has confirmed that the ransomware being used this time around is the Petya ransomware family, and that it is behaving like a network worm, spreading through the same SMB vulnerability (using the EternalBlue exploit developed by the NSA) as WannaCry.
F-Secure Labs’ Jarkko described Petya as ransomware with an evil twist in a blog post he wrote in 2016. Rather than just encrypt files, it locks the entire disk, making it basically unusable until the infection is removed.
Any unfortunate Petya victims probably see something like this:
The infection vector for this campaign is still unknown, but the end result is basically the same.
Most crypto-ransomware families target and encrypt files on the victim’s hard drives. This means victims can’t access those files, but they can still use the operating system. Petya takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows.
Technically speaking, here’s what happens:
- Malicious file is executed
- A scheduled job is created to restart the infected machine after 1 hour (looks like this to users)
- While waiting for restart, Petya searches for machines in the network to propagate to.
- After collecting the IP addresses to infect, Petya exploits SMB vulnerability and drops a copy of itself to the target machine.
- After reboot, the encryption begins during boot up, then ransom message is displayed.
The outbreak has hit organizations all over the world, including France, India, Spain, the UK, the US, Russia, and more. And just like WannaCry, it’s completely seizing systems people rely on, such as this ATM in the Ukraine.
— Mikko Hypponen (@mikko) June 27, 2017
But while a clever security researcher was able to capitalize on a careless mistake made by the attackers behind WannaCry, F-Secure Security Advisor Sean Sullivan doesn’t see that happening again.
“WannaCry’s attackers failed because they couldn’t handle the amount of victims they created. But this Petya campaign, which is basically still in its first round, comes across as more professional and ready to cash in,” says Sean. “Amateur hour is definitely over when it comes to launching global ransomware attacks.”
Ransoms are about 300 USD worth of bitcoin. Nearly 30 people have paid the attackers to get their devices unlocked (no confirmation on whether it worked). Apparently the attackers have had their email address blocked by the provider, but Sean says there are a number of reasons why the email provider might reverse that decision.
So organizations need to be careful over the coming days to avoid Petya infections. Because of the similarities with WannaCry, much of the same security advice applies: update Windows, configure your firewall to block incoming traffic over port 445 if possible, and use endpoint protection. F-Secure products have a variety of protective measures built in to help protect customers from Petya and other types of ransomware.
We’ll be posting updates as the situation unfolds here and on F-Secure’s Business Security Insider. You can also follow tweets from F-Secure Chief Research Officer Mikko Hyppönen in real time here.
Note: Researchers have confirmed that there are additional infection vectors since this was published. More information on other infection vectors can be found here.