-mask

Petya, NotPetya – Call It Whatever, It’s Still Ransomware!

Tuesday, June 27th, just a little over a month after the Wannacry ransomware campaign, in just a few hours, multiple reports of a worldwide outbreak regarding a new ransomware campaign are sprouting everywhere. Some say it is a new variant of “Petya” others call it “NotPetya”.

The new Petya ransomware variant infections broke out in Ukraine and spread from there to other countries. The proliferation of this ransomware is believed to begin with a malicious email containing ransomware embedded in a password-protected Word file.

Understanding How Petya Ransomware Works

Petya ransomware is a sophisticated malware strain that renders affected Windows computers unusable by encrypting their master boot records (MBR). This method prevents the operating system from booting, effectively locking users out of their systems. Here’s how Petya operates in detail:

Initial Infection and Communication

  • Execution of the malicious file: The attack begins when a victim opens a malicious file attachment, initiating the infection process.
  • Connection to command-and-control (C&C): Once infected, the compromised machine communicates with a known malicious IP address (182.165.29.78). This connection establishes a communication channel between the ransomware and its operators.

Fake Hard Disk Scan

  • A fake CHKDSK (Check Disk) message appears on the screen, indicating that a scan of the hard drive is in progress.
  • During this staged scan, the ransomware begins distributing itself within the network, leveraging SMBv1 and additional protocols such as 139, 445, and 135 to spread to other systems.

Encryption of Files and Folders

  • The ransomware scans the infected system for files and folders, targeting important and useful data.
  • Once identified, these files are encrypted, leaving them inaccessible to the user.

Ransom Demand

  • After encryption is complete, Petya displays a ransom note on the victim’s screen.
  • The note demands a payment of hundreds of dollars in exchange for a decryption key.
  • Victims are given a strict deadline to pay the ransom; failure to do so results in the ransom amount increasing.

Cymulate’s Take: Why Continuous Security Validation Matters

Organizations that tested their security and identified vulnerabilities through Cymulate, were presented with mitigation procedures for other ransomware, which also mitigated the vulnerability that this new threat used. Many organizations would have avoided the attack if they had used Cymulate, hence the importance of continuous testing, identification of vulnerabilities, and mitigation.
To test yourself today, visit our website, register, and try for free our Immediate threat sample of the NotPetya ransomware.

Update November 2021 – Preparedness against ransomware is improving