Petya Ransomware Overview
On June 27 2017, a cyber attack named Petya hits first in Russia and Ukraine. In later two days, more than 100 countries including UK, India, Netherlands, Spain and Denmark are affected. Petya actually went into people’s sight early at the beginning of 2016. At that time, it spreads virus via emails only and pretended as application letter. Petya in 2017 borrow part of code from previous. Therefore, to distinguish Petya in 2016 from 2017, some foreign experts also name Petya as ExPetr, NotPetya, Petna, SortaPetya or Petya.A.
Why would it spread so fast this time? In fact, Petya takes advantage of WannaCry ransomware happened in May 2017. Yes, only in a month, the hackers see and use the loophole. They bring much worse influence than WannaCry. Many users have well protected their computer since WannaCry, which is good, yet some of them keep fluke mind and didn’t take any actions. Well, this time, they should be careful. Petya is similar to WannaDecryptor but more differences are found. Let’s discuss them one by one.
Differences between Petya and WannaCry Ransomware
As we know, WannaCry gets on computer via dangerous TCP port 445, port 138, etc. so does to Petya (learn how to block TCP port 445 in Windows). They both encrypt files as well. This could be the point that Petya has something in common with WannaCry. However, the differences may make you frustrated.
Petya vs WannaCry: Different Attack Manners
It’s true, they encrypt files. But Petya encrypts more than files. The attack flow of Petya is first releases virus and pretends as disk scanning. During the scanning process, the virus encrypts NTFS partition and destroys Master Boot Record (MBR) section. Below is the simulate interface.
After that, encrypt other files and set schedule task. The virus keeps attacking other computers in LAN through the loophole. When the time has come, computer will reboot and Petya will take over the computer before Windows log in. Computer’s MFT (Multiprogramming with a Fixed number of Tasks operating system) will be encrypted as well. Finally, you will get blackmail information dialog. Following are Petya attack flow in chart form.
WannaCry and Petya: Faster Spread Speed
WannaCry takes up only EternalBlue that leaked from National Security Agency (NSA), yet Petya uses more. EternalRomance also becomes an accomplice during this global cyber attack. WannaCry craps on computer via sharing port 445 in LAN. Petya does this, too. Nevertheless, Petya stoles host/client credentials and makes use of “Sharing of Administrator” function as well. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines. That is to say, virus might invade even if you block the TCP port 445 or other ports in LAN. The spread speed of Petya malware is over 5,000 computers per 10 minutes.
Public facilities in many countries like Rosneft, Boryspil International Airport, Oschadbank, AP Moller-Maersk, ATM and WPP are attacked at present.
Less Targeted File Extensions
Previous cyber attack WannaCry encrypts almost every common used file extensions, 178 in total. On the contrary, Petya reduces the file extension this time, only 65, also including common-used ones. Following are all file extensions that are involved in.
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf . disk .djvu .doc .docx .dwg .eml .fdb .gz .g .h .hdd .kdbx .mail .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
Not sure if this amount reducing caused by lack of hack technology or they just want to narrow attack scope. If you have file that does not included in the list, don’t celebrate too early, the Petya malware variant has any possible to appear just like WannaCry did before.
Tips to Survive from Petya Ransomware
Primary suggestions are offered by cyber security experts:
1. Never ever pay for ransom money! Petya requires $300 value of Bitcoin currency and provides email address for the payment. But do not drop in the trap. They are not going to decrypt your computer since launch an attack and blackmail others are not like what good guy will do. Chances are that the money you offer may become the fund for next round of hacking. According to latest news, the ransom email address was forbidden by the email company. So even if you pay for it, they would not know that.
2. Every company that has server on IDC room hosting and installed Windows operating system, install Microsoft update patch MS17 – 010 patch immediately. The security patch is also simple to personal Windows users. One can learn from the tutorial and easily install and uninstall it on PC.
3. As for large and middle-sized enterprises or organizations that facing hundred and thousands of computers, the best way is to using Client for centralized management.
4. Backup important data using reliable backup software like AOMEI Backupper Free to minimize data loss. The backup process may be painful, but you surely don’t want to any crucial files, don’t you? AOMEI Backupper Free played an important role in protecting computer from WannaCry, and this time it will continue be sure. Develop the habit of backing up important files at a regular basis. Trust me, it will save you more than you can image.
5. Do not click suspicious in emails or on websites. Install anti-virus software at the same time.
Words in the End
Within two months, global ransomware attack event happened twice in 2017, WannaCry and Petya cyber attack. And the trend is not optimistic. On the one hand, we hate these hackers who make us lose crucial and valueless data. On the other hand, we should safeguard ourselves and do not give the chance to let them take advantage of. Petya, like many other current affairs, changes a lot. The differences between Petya and WannaCry ransomware may vary. We will keep an eye on it closely and report persistently.