show image

NotPetya: virus behind global attack ‘masquerades’ as ransomware but could be more dangerous, researchers warn

Cybersecurity firm Kaspersky has claimed, contrary to prior reports, that the “ransomware” behind an ongoing global attack on Microsoft Windows PCs is a new virus not previously known to experts.

Some researchers, including Kaspersky’s, identified the code on Tuesday afternoon as a variant of Petya, a type of well-understood ransomware that locks down victims’ hard drives. But the Russian firm has since released a statement claiming that it’s not Petya after all – hence its new moniker, NotPetya.

Confusion appears to have stemmed from the fact that the code was masquerading as the ransomware virus, but cybersecurity expert the Grugq has said that the similarities are only skin deep.

“Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [malware] is definitely not designed to make money,” the Grugq said. “This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”

The veteran researcher added that the pipeline selected by hackers to receive the $300 ransom payments was “possibly the worst of all options”. Victims were asked to send a large amount of complex strings of code to an email address that was quickly shut down by its service provider.

Around 2,000 users had been attacked by 18:00 GMT on Tuesday (27 June), with Ukraine and Russia suffering the most hits, according to Kaspersky’s telemetric data. The computer networks at Ukraine’s central government and national bank, Kiev’s main airport and the Chernobyl disaster site were among the first to report that they had been hit. The virus has since been reported all over the world.

NotPetya or Pnyetya, as the Grugq calls it, infects computers by deploying a tweaked version of open-source Minikatz to extract network administrator credentials, before spreading to other machines.

Like the WannaCry ransomware that paralysed parts of the NHS and thousands more organisations last month, NotPetya uses a modified version of EternalBlue, an exploit developed by the NSA to infect computer systems. Unlike WannaCry, it also uses the agency’s EternalRomance code.

Both exploits were leaked by the Shadow Hackers group earlier this year.

By the time the exploits were dumped on the dark web, Microsoft had patched its vulnerabilities, but not all users updated their software, leaving them vulnerable to WannaCry when it started spreading last month.

Since WannaCry, many users have taken steps to update their software and protect their systems, meaning the credential theft tends to be the more successful of the two approaches.

If a network has recently been patched, the virus can still seek admin access without using the NSA’s exploits. One way is to trick an admin user into running a nefarious email attachment. It may also send a malicious software update to an application suite running as admin, the Register reported.

Once a computer has been infected, the ransomware waits about an hour before it begins the reboot and file encryption process. As the Guardian spotted, @hackerfantastic has been advising users to switch off their computer immediately if they see this message:

They can then try to rescue the files from the machine.

Victims are advised to disconnect their PC from the internet, reformat the hard drive and reinstall files from a backup.

While the attack appears to have started in Ukraine, British advertising giant WPP, French construction materials company Saint-Gobain and many other major businesses have also been affected.

Ukraine has pointed the blame at Russia over previous attacks on its networks. Russia has previously said it was not involved in the attacks.

Steven Murdoch, principal research fellow at University College London’s Cyber Security Institute, told New Statesman Tech that it was too early to say who was to blame, adding that intelligence agencies would be best equipped to trace its origins.