As expected, the Ransomware issue is not going away any time soon. After the outbreak of WannaCry, a new ransomware is now causing havoc in the business world. Dubbed “Petya”, this new Ransomware is spreading at an alarming speed.
Unlike the objective of WannaCry which was to extort money, the Petya ransomware seems to have a different objective – to destroy important data permanently.
The malware is exploiting Windows vulnerability Eternal Blue that was used by WannaCry. It seems many companies had put off the patching which lead to a massive outbreak of this malware. Microsoft has already released a security patch and companies who have not applied the security patch to their Windows systems should do so immediately.
What is Eternal blue?
Eternal blue is an exploit developed by America’s National Security Agency that was leaked by Shadow hackers group in April 2017. The Eternal blue takes advantage of a vulnerability in the Windows implementation of Server Message Block. The vulnerability refers to Windows systems acceptance of a specially crafted packet from remote hackers that allows them to run arbitrary code on the infected system.
Multi-national corporations badly hit by Petya ransomware
The Ukraine was the hardest hit by the new ransomware and the government, large power companies, and some banks announced that their services have been affected by this ransomware.
The Danish transport company “Maersk” has also been hit by Petya and the company spokesperson has confirmed that many business units and Maersk IT systems are down due to the Petya ransomware attack. Russian energy company “Rosneft” has tweeted that the company is facing a powerful hacker attack but they have not confirmed whether they have experienced any damage.
Petya Ransomware is not new; it had first appeared in early 2016. However, a closer analysis by experts revealed the new Petya ransomware is a never-before-seen ransomware package that emulates some of the earlier Petya’s behaviors. The new ransomware is perfect in all aspects and the code of the ransomware is so aggressive that it is almost impossible to recover data from the infected system.
Experts also believe the new Petya outbreak was not an outbreak at all, but rather it was intended to wipe out maximum number of hard drives on the infected networks. The new ransomware was purposely released to capitalize on the media interest in the WannaCry ransomware attack.
A report published by Kaspersky security blog mentioned the new ransomware as “Wiper” as its code did not have options of unlocking the encrypted data. Security analysts say to decrypt the data on an infected system (after a ransom is paid); the hacker needs a “personal infection ID” that is generally displayed on the ransom note. In the 2016 version of Petya ransomware, security analysts found the personal infection ID contained important information about the infected system that made data recovery possible.
However, the 2017 version of this Petya ransomware encrypts the data on the hard drive using some pseudo-random data that was not related to any corresponding keys. This clearly indicates the motive of the ransomware and shows that recovery of data is not possible even after paying the ransom.
Security experts have further warned that ransomware might become increasingly common as the technology advances. It is in the best interests of business organizations and individuals to install security patches to fix vulnerabilities in their systems and networks.