The malware attack that began spreading yesterday from Ukraine and Russia and has crippled the networks of some international businesses displays some significant differences from last month's global outbreak of the WannaCry ransomware.
Like WannaCry, the origins of "Petya" -- also called NotPetya, Nyetya, and PetrWrap -- lie in a Microsoft vulnerability that was exploited for years by the National Security Agency before being stolen and then revealed by the Shadow Brokers hacking group in April. However, Petya does not appear to have the kind of built-in kill switch that helped put a stop to the spread of WannaCry, and propagates through networks differently than WannaCry.
Security researchers following Petya said that the malware, while damaging, isn't effective ransomware. Unlike WannaCry, Petya doesn't create custom Bitcoin payment addresses for individual victims, and it also tells victims to communicate with the perpetrators via email, which is traceable, rather than through the anonymous Tor network.
What's more, the email address used by the Petya hackers was blocked yesterday by the Berlin-based email provider Posteo, preventing the hackers from sending messages via that account and also disabling incoming messages.
Apparently Designed for Mayhem
Since appearing in Ukraine yesterday, Petya has infected tens of thousands of machines across at least 65 countries, according to a post on Microsoft's TechNet Malware Protection Center blog. Numerous organizations in Ukraine, including the main airport, government agencies, and the national bank, were affected. Also affected were the Danish shipping giant Maersk, the Russian energy firm Rosneft, and the international marketing firm WPP.
With no effective means of communicating with the hackers to verify ransom payments, victims had no obvious path to recovery that could unlock files encrypted by the malware.
University of California-Berkeley computer researcher Nicholas Weaver told IT security writer Brian Krebs yesterday that Petya appeared to be aimed more at causing mayhem rather than generating profits for the hackers responsible.
Writing on his blog, Kreb reported that Weaver said, "I'm willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware. The best way to put it is that Petya's payment infrastructure is a fecal theater."
Anyone hit by Petya should not make the payment that hackers are requesting, as "there is currently little chance files can be recovered by paying the ransom," MalwareTech, the British security researcher who helped put a stop to last month's WannaCry attack by activating that ransomware's built-in kill switch, noted on his blog yesterday.
Instead, because Petya encrypts files only after an infected machine begins rebooting, victims should shut down their systems before that happens, he said. It might then be possible for data to be recovered later.
Workaround Offers Temporary 'Vaccination'
The information security firm Cybereason said yesterday that Amit Serper, its principal security researcher, had discovered a workaround solution to disable Petya on infected systems. Cybereason said activating the "vaccination" mechanism required users to "locate the C:\Windows\ folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files."
Yesterday, Serper said on Twitter, "Yes, this is probably temporary, yes, it's a 'fix' and not a killswitch and it is the first windows malware that I've ever done RE on."
Security experts regularly note that the best protection against such malware attacks is for users to ensure that their operating systems are up to date. The WannaCry attacks, for example, largely affected systems running older versions of Windows that were no longer supported with updates from Microsoft.
Meanwhile, the hacking team that released the stolen exploit that made WannaCry and Petya possible today posted an online update about its new "Dump of the Month" service, which seeks paid subscribers to monthly releases of new exploits for Web browsers, banks and payment service providers, newer operating systems including Windows 10 and even weapons programs.
"Another global cyber attack is fitting end for first month of theshadowbrokers dump service," the hacking group noted, as it announced the launch of a "VIP" service for individualized or targeted hacks.