UPDATE: For the latest on Petya, check this F-Secure Labs post.
Are we still calling this outbreak Petya?
Microsoft Defender detected it as “Petya.A”.
“We have verified that the Petya MBR code from a variant last December is very similar to the MBR code of this new variant,” says Karmina Aquino, Service Lead at F-Secure Labs. “There are only some minor differences.”
Is Petya ransomware?
Petya is ransomware.
But doesn’t Petya do other stuff besides encrypting files to hold them hostage?
Petya also steals passwords because it needs to. Network worms steal passwords so this also steals passwords.
Microsoft reports that Petya is “supply chain attack” that exploited the known EternalBlue and EternalRomance vulnerabilities discovered by the National Security Agency and then released by the Shadowbrokers hacking group earlier this year. This means there was third-party software on the computer that abused the MEDoc software updater process. MEDoc servers could have been compromised or victimized by a “man-in-the-middle” attack.
But it’s way too early to know for sure or even to make informed speculation.
“The known unknowns are too big right now,” Sean Sullivan, F-Secure Security Advisor.
Can Petya infect everyone including home users or just networks?
“In our analysis today, we have seen Petya encrypt files even if it’s not connected to a network,” says Karmina. “However, based on one of the infection vectors that we’ve seen, as well as the type of victims, it appears that the target are businesses, which has usually been Petya’s main interest in previous variants.”
Is a nation-state behind Petya?
“I wouldn’t bet on it at the moment,” says Sean.
Karmina adds, “We’ve checked the code, and so far haven’t found any evidence of this malware trying to be anything other than a ransomware.”
Do we still think “pros” are behind Petya?
Some people speculating because it uses email that got shut down by the provider it might be a nation-state or bunch of amateurs. This ignores how ransomware works.
“Criminals want to get paid,” Sean says. “They can’t use telepathy or carrier pigeons.”
As Sean explained on Twitter, there are only two ways for criminals to get paid from the “customer”—email or a web portal. Petya uses email, like the majority of crypto-ransomware threats.
When we investigated ransomware providers, we did nearly all our negotiating through email. Only one of the two ransomware families with a portal responded. All three criminal groups using email returned emails and were often more professional than many software companies.
Is there a kill-switch in Petya?
No, a kill switch is a centralized solution.
There wasn’t even a “kill switch” per se in WannaCry. There was anti-emulation function that checked for what should have been a non-existent domain. Often Malware has a “bullshit checker” that stops the malware being analyzed by virtual machines. A researcher found that bullshit domain that signaled that the threat was being run on a virtual machine and registered it. The checker then refused to let WannaCry run.
We’ve seen nothing like this in Petya.
Is there a vaccine/inoculation for Petya?
It’s very common for malware to avoid double infection so the malware doesn’t go into an infinite loop and reveal itself. There are lots of tools out there for common ransomware that exploit malware’s built-in tools that prevent it from analyzed. And there are lot of malware that won’t infect you if you’re using a Cyrillic keyboard or a Russian IP address.
As a vaccine or inoculation you can sprinkle markers that suggest you’re a virtual machine or in Russia. But if these tricks become common, the threats adapt around them.
For Petya, there is an inoculation or vaccine, but it’s probably not worth your time.
“If you have the time to deploy a vaccine, you have better things to do than to protect against one ransomware,” Sean says. “Run Microsoft Updates, remove any software you aren’t using, get a password manager, update your passwords… There things you can do to protect you against multiple types of malware. Get the basics right.”
Here are some more things your company can do to beat Petya.
Is the email that provides decrypting key down?
Yes, F-Secure Labs checked and the email bounces back.
The site of the hosting company Posteo says it is “in contact with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).”
Can companies pay the ransomware?
Not currently. This effectively cuts victims off but not permanently.
Just because this cut off doesn’t mean there isn’t another way for these crooks get paid, as they still have backdoor access to the ransomware.
“These guys might set up a portal,” Sean says. “They could sell the decryption key to other criminals.”
Or they may do nothing and move on.
“If that sounds heartless or like a waste of resources, you don’t know cyber criminals,” Sean said. “Next Tuesday, when the next batch of spam goes out, they’ll be on to something else that could make them a ton of money.
Will powering off when you see the CHKDISK screen save your files?
Is there a decrypter tool that some security white hat has created?
We’re currently investigating this.
Does F-Secure protect me against Petya?
Yes, F-Secure endpoint products prevent all examples of Petya.
This is a guest post by F-Secure trainee Mari Mäkinen. The cyber security market is…
July 19, 2017
On a recent trip to the Finnish Archipelago, F-Secure security advisor Sean Sullivan scanned the…
July 13, 2017