WannaCry’s little sister is spreading

WannaCry’s little sister Petya is making its rounds as we speak in Europe. It is shutting down computers at corporations, power companies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe. The developers are demanding $300 in bitcoins. Already an estimate 300,000 computers have been infected in just 3 days.

Petya uses the same vulnerable SMBv1 exploit used in WannaCry.

Petry doesn’t encrypt files but instead encrypts the hard disks’ master file table and replaces the master boot record [MBR] with its own code displaying the ransom note at boot up, leaving the computer unable to boot into Windows.

Aside from keeping your computer up to date follow KB2696547 to disable SMBv1. SMBv1 may be required, though, with older software.

Of course if you were smart enough to avoid WannaCry which included updated OS patches [or you had to rebuild your computer if infected with WannaCry], you shouldn’t be too concerned with this. On the other hand, those running Windows XP and Windows Server 2003 should be. They were for the most part spared WannaCry’s wrath because of faulty code by the developer. I would guess they learned from it.

[Update: 2017/06/27] If it is the same Trojan, it actually has been around for 15 months according to Symantec and McAfee using the “EternalBlue” exploit [MS17-07]. But Kaspersky says it isn’t the same and is calling the malware NotPetya.

Some sites claim the malware will only go after the MBR if it has administrator rights on the computer. If not, it will just try to encrypt individual files like WannaCry.

[Update: 2017/06/28] Researchers say if you create a file [doesn’t have to be empty] called “Perfc”, place it in C:\Windows and mark the file as read only, it could protect your computer from getting Petya. Seems the ransomware loader looks for this file. If exists, it skips doing anything.

If you start your computer or it reboots and it starts to run a “Chkdsk”, it is fake. It is doing the encryption. If you see this, turn off your computer immediately. You can’t boot off the computer but you could boot off an offline virus scanner to clean the computer and/or access your files and move them off the computer.

[Update: 2017/06/29] Because things are a bit sloppy, the developers of Petya didn’t really intend on make money according to security experts. In addition, some believe after a hard disk is encrypted it can’t be decrypted.

In addition, some are calling it “NotPetya” [mentioned before] and even “GoldenEye” because it differs too much from the original Petya released 15 months ago.

While other areas of the world were “casualties”, some are saying their intent was to disrupt Ukraine – which would mean the developers are most likely Russian.

[Update: 2017/06/30] Posteo, the email provider hosting the account where the Petya ransomware author was receiving messages shut down the account, preventing victims from contacting the author to make payments and possibly recover their encrypted data. Even then, just an estimated $10,000 US was collected.


WannaCrypt may have been a dud for most

While the WannaCrypt/WannaCry ransomware caused some havoc, primarily in Europe and mostly of them in eastern Europe, with the infection hitting in the 6 figures, it turned out to be a big dud.

First, many did not pay the ransom. I am guessing many of those in eastern Europe cannot afford $300+.

Second, while it heavily affected those with Windows 7 computers, I suspect many of those are unprotected or not patched as they could be pirated copies of Windows 7. Eastern Europe and Asia [also hit hard] are notorious for high piracy rates. Many with pirated copies do not want to possible compromise their system with an update that could botch their copies.

Third, even though somewhere around an estimated 10 percent of computers are still using Windows XP, an operating system that has had no support for about 3 years, those who programmed botched things up because when WannaCrypt got onto those computers they wouldn’t spread to other computers and many of them would crash.

Kaspersky claims almost 98% of machines infected were Windows 7 based. Servers were just over 1% and most of those were Server 2008 R2.  Windows 10 accounted for 0.03% [I guess some turned off Windows Updates]. Servers account for 1.4% with most of them on Windows Server 2008 R2 – the server version of Windows 7.

WannaCry/WannaCrypt Microsoft Windows patches

If you are up to date on Windows patching, you should be covered. If not, you can still get the patch at http://catalog.update.microsoft.com/v7/site/Search.aspx?q=4012598.

It is important to know that Microsoft also release patches for unsupported Windows XP SP3 and Windows Server 2003.