Total paralysis in large multinationals: the food company Mondelez (parent company of companies such as Cadbury and Nabisco and owner of brands like Oreo, Chips Ahoy, TUC), Nivea companies, US laboratory Merck, Russian oil company Rosneft, Moller- Maersk, and law firm DLA Piper , one of the world’s largest law firms, have suffered an ransomware attack similar to that of Wannacry just a month ago. And they are not the only ones.
Kaspersky Lab analysts have discovered PetrWrap , a new malware family that exploits Petya’s original ransomware module, distributed through a Ransomware-as-a-Service platform , to perform targeted attacks against specific organizations. The creators of PetrWrap created a special module that modifies the original Petya ransomware “on the fly”, leaving its authors defenseless against the unauthorized use of their malware. This fact is indicative of the increasing competitiveness that exists in the black market of ransomware.
In May 2016, Kaspersky Lab discovered the Petya ransomware which not only encrypts data stored on a computer, but also overwrites the master boot record (MBR) of the hard drive, Making it impossible for infected computers to boot the operating system.
In this case, the system encryption does not occur immediately, but expects a random interval between ten and sixty minutes for system reboot, programmed using schtasks and shutdown.exe.
After the restart, the MFT table is encrypted on the NTFS partitions, thus overwriting the MBR with a loader where the ransomware note is included.
As assumed by several users , PetrWrap is using the same WannaCry propagation medium , the exploitation of EternalBlue and EternalRomance on Windows and port 445 open but the latest reports confirm that the propagation is by email .
“Petya uses the same exploit Eternalblue and spreads on internal networks with Mimikatz WMIC and PsExec , so patched systems can be equally affected , ” said Mikko Hypponen, research director at F-Secure. The fundamental difference with WannaCry is that this malware only spreads on the local network, not through the Internet.
Petya also encrypts many fewer file types than its predecessor. This new ransomware uses the SMB exploit only in part of the infection, making use of MimiKatz to extract credentials from the lsass.exe process , and WMIC or PSExec for lateral movement, thereby rendering the MS-17 security patch innocuous -010. That is, even if a computer is completely patched it could be infected via propagation. Petya has also caused serious disruption in other large companies, including advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.
The attack was first reported in Ukraine, where the government, banks, State electric power, Kiev airport and subway system were affected. Chernobyl’s radiation monitoring system was put off-line, forcing employees to use manual counters to measure levels in the exclusion zone of the old nuclear plant. Those responsible for the attack ask the user to pay a ransom of $ 300 and send the payment receipt to an e-mail address with a pre-set password. For now, cybercriminals have received 12 32 45 transactions , the first of them at 12: 48hs today (Europe time).
Here you will find all the technical information corresponding to the binaries detected so far. At this time there are two versions of Petya active, the last April version can be recovered following this procedure . For the current version (27/06) you can try the same method but, unfortunately, there is still no safe way to recover. Update: Computer security expert Matt Suiche of security firm Comae Technologies has released the results of his in-depth analysis of the Petya code, which reveals that this latest version is not actually a ransomware but a ” Wiper ” , a malicious program dedicated to erase files and complete hard disks. This means that the victims of the attack never had a chance to recover their files because they were not kidnapped, but they had completely disappeared.