Hot on the heels of WannaCry is a variant Petya Ransomware and it’s spreading across the world. The ransomware first attacked in Ukraine, and reports are now coming in from other countries. The Petya/GoldenEye malware encrypts both the drive and files then demands a $300 ransom in Bitcoin.
Cyber security companies have identified the ransomware as using the NSA’s EternalBlue hack. Symantec identified the malware as Ransom.Petya. Bitdefender identified the ransomware as Trojan.Ransom.GoldenEye.B. These are vulnerabilities that are already known.
“Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network-based threat (MS17-010),”
security researcher using Twitter handle HackerFantastic tweeted.
EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits. Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency. However, people who have updated their computers could still be affected, Anomali, a threat intelligence company said.
A scan on VirusTotal shows that only 29 security suites out of 61 can detect the malware. Notably, Windows Defender does not detect the virus. In fact, most popular free antivirus suites including AVG and Avast! marked the samples as clean files. All the top paid solutions could detect the file as a trojan.
Unlike most ransomware, Petya and the GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving stored information or samples. However, unlike Petya, with GoldenEye there is no workaround to help victims retrieve the decryption keys from the computer.
The malware will also force your infected PC to reboot as soon as it finishes encrypting files, so you’ll see the ransom demands as soon as possible. Researchers at Recorded Future said there’s also a hidden trojan on Petya as well, where it steals victims’ usernames and passwords.
According to BitDefender, Several companies confirmed so far to have fallen victim to GoldenEye/Petya ransomware: Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.
Victims are paying the ransom. At the time of writing, 26 victims have paid in Bitcoin to ‘1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX’ address for decrypting their files infected by Petya, which total roughly $7300.
In the meantime, just update your machine and apply the best practices.