WannaCry’s little sister is spreading

WannaCry’s little sister Petya is making its rounds as we speak in Europe. It is shutting down computers at corporations, power companies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe. The developers are demanding $300 in bitcoins. Already an estimate 300,000 computers have been infected in just 3 days.

Petya uses the same vulnerable SMBv1 exploit used in WannaCry.

Petry doesn’t encrypt files but instead encrypts the hard disks’ master file table and replaces the master boot record [MBR] with its own code displaying the ransom note at boot up, leaving the computer unable to boot into Windows.

Aside from keeping your computer up to date follow KB2696547 to disable SMBv1. SMBv1 may be required, though, with older software.

Of course if you were smart enough to avoid WannaCry which included updated OS patches [or you had to rebuild your computer if infected with WannaCry], you shouldn’t be too concerned with this. On the other hand, those running Windows XP and Windows Server 2003 should be. They were for the most part spared WannaCry’s wrath because of faulty code by the developer. I would guess they learned from it.

[Update: 2017/06/27] If it is the same Trojan, it actually has been around for 15 months according to Symantec and McAfee using the “EternalBlue” exploit [MS17-07]. But Kaspersky says it isn’t the same and is calling the malware NotPetya.

Some sites claim the malware will only go after the MBR if it has administrator rights on the computer. If not, it will just try to encrypt individual files like WannaCry.

[Update: 2017/06/28] Researchers say if you create a file [doesn’t have to be empty] called “Perfc”, place it in C:\Windows and mark the file as read only, it could protect your computer from getting Petya. Seems the ransomware loader looks for this file. If exists, it skips doing anything.

If you start your computer or it reboots and it starts to run a “Chkdsk”, it is fake. It is doing the encryption. If you see this, turn off your computer immediately. You can’t boot off the computer but you could boot off an offline virus scanner to clean the computer and/or access your files and move them off the computer.

[Update: 2017/06/29] Because things are a bit sloppy, the developers of Petya didn’t really intend on make money according to security experts. In addition, some believe after a hard disk is encrypted it can’t be decrypted.

In addition, some are calling it “NotPetya” [mentioned before] and even “GoldenEye” because it differs too much from the original Petya released 15 months ago.

While other areas of the world were “casualties”, some are saying their intent was to disrupt Ukraine – which would mean the developers are most likely Russian.

[Update: 2017/06/30] Posteo, the email provider hosting the account where the Petya ransomware author was receiving messages shut down the account, preventing victims from contacting the author to make payments and possibly recover their encrypted data. Even then, just an estimated $10,000 US was collected.

 

Advertisements

About ebraiter
computer guy

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: