There’s no kill switch this time.
Security researchers said the new “Petya” cyberattack sweeping around the world might be worse than the WannaCry attack in May, and it might be harder to stop.
Ukraine first reported a cyberattack hitting its national bank, airport, and government departments, before a Russian oil company, ad giant WPP, and Dutch logistics firm Maersk all started reporting problems.
Microsoft said in a security update that the attack has hit 64 countries so far, including Russia, Brazil, and the US.
The attack targets Windows PCs and takes the form of ransomware, encrypting users’ files and demanding payment in exchange for decryption. In this instance, hackers are asking for $US300 worth of Bitcoin.
But unlike WannaCry, last month’s ransomware attack which crippled the NHS in the UK, Petya isn’t an efficient money-making exercise. For one thing, the German email firm operating the hackers’ email address has shut the address down.
Security researcher Kevin Beaumont pointed out another difference. The hackers behind the Petya outbreak “had a development budget.” And he said it would probably be worse than WannaCry.
Some people are blaming Ukrainian software called MeDoc for the outbreak
Several security firms and researchers said one reason the attack spread so quickly was due to a popular accounting program in Ukraine called MeDoc. This would explain why the first victims were in Ukraine and Russia.
The company denied any accidental involvement with the attack on its Facebook page, but Microsoft, security firm Talos, and Ukraine’s own national cyber security department pinned the blame on the software.
Microsoft wrote: “Although this vector was speculated at length by news media and security researchers — including Ukraine’s own Cyber Police — there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MeDoc updater process.”
MalwareTech, the British security researcher who halted the spread of WannaCry, added that it was likely MeDoc was hacked, then its software used to spread the malware to any PC using its accounting service.
He added that unlike WannaCry, there was no “kill switch” — a catch-all solution that would stop the malware.
He wrote: “Although some companies have claimed to have found a kill switch, this is nothing more than PR as the so called “kill switch” is only activated by modifying files on your own system (which can be done to stop most malware) and is not doable remotely like the WannaCry was.
He added: “Furthermore … it’s unlikely the Petya ransomware is still spreading and the damage has already been done, thus a kill-switch would be futile.”
What is Petya?
Researchers are still analysing samples of malicious code and arguing about its origins. There’s some consensus though on what the malware is:
- The malware is more sophisticated than WannaCry.
- It uses a software exploit reportedly developed by the National Security Agency, called EternalBlue. This takes advantage of a Windows vulnerability to spread between machines.
- It uses a similar Windows flaw to EternalBlue called EternalRomance.
- It uses a hacking tool known as Mimikatz to extract passwords from other computers on the same network, then infect machines not vulnerable to the ExternalBlue or EternalRomance flaws.
- It also spread using MeDoc.
- Unlike WannaCry, the software is designed to spread across PCs in a contained network, not the whole internet.
- But the combined infection methods might explain how the malware spread so quickly.
Researchers initially assumed this malware outbreak was a strain of the Petya ransomware which emerged last year. But some of them now disagree, saying there are more code differences than similarities and dubbing the malware “NotPetya.”
Here’s one thing they can agree on, though: Don’t pay the ransom if your files are encrypted.
I am on a train analysing Petya. I think this will be bigger than WannaCry. It’s much better designed. Has automated lateral movement.
— Kevin Beaumont (@GossiTheDog) June 27, 2017