{"id":182585,"date":"2017-06-29T09:29:06","date_gmt":"2017-06-29T07:29:06","guid":{"rendered":"https:\/\/businesstech.co.za\/news\/?p=182585"},"modified":"2017-06-29T09:29:06","modified_gmt":"2017-06-29T07:29:06","slug":"everything-you-need-to-know-about-the-new-petya-ransomware-cyber-attack","status":"publish","type":"post","link":"https:\/\/businesstech.co.za\/news\/internet\/182585\/everything-you-need-to-know-about-the-new-petya-ransomware-cyber-attack\/","title":{"rendered":"Everything you need to know about the new Petya ransomware cyber attack"},"content":{"rendered":"

IT and security expert at Sophos, Paul Ducklin, has broken down all the important information about the new Petya ransomware that has hit many countries, including South Africa.<\/p>\n

The new Petya attack reportedly\u00a0uses the same intrusion tool as a similar attack in May and has been similarly disruptive on daily life with hospitals, government offices and major multinationals among the casualties of the ransomware payload.<\/p>\n

The malware attack first manifested itself in Kiev, Ukraine on Tuesday and was slowly spreading across the world.<\/p>\n

As in the previous attack a ransom is charged for a digital key which will allegedly restore that encrypted data.<\/p>\n

According to Ducklin, while displaying similar traits to the malware attacks that have come before, the new variation of Petya works a bit differently, and businesses need to be full informed about the implications.<\/p>\n

Ducklin’s full Q&A can be found here<\/a><\/strong>.<\/p>\n

\n

What is this new \u201cPetya\u201d ransomware outbreak?<\/strong><\/p>\n

On 27 June, a new strain of ransomware was reported in numerous disparate organisations in many countries.<\/p>\n

This malware has been variously, and somewhat confusingly, referred to as Petya, GoldenEye, WannaCry2, NotPetya, PetrWrap and PetyaWrap.<\/p>\n

Sophos detects the main file of this malware by the name Troj\/Ransom-EOB<\/em>, but in this article we will refer to it colloquially as PetyaWrap, because it\u2019s easier to say.<\/p>\n

\n

Why the name PetyaWrap?<\/strong><\/p>\n

The heart of this new ransomware is almost identical to an existing ransomware strain from 2016 known as Petya.<\/p>\n

Unlike most ransomware, which scrambles your data files but leaves your computer able to boot up into Windows and run your regular apps, Petya scrambles your disk down at the sector level, so that it won\u2019t boot normally at all.<\/p>\n

But the PetyaWrap variant does much more than the original Petya ransomware.<\/p>\n

PetyaWrap includes a number of other concepts and components plundered from other malware strains, including GoldenEye and WannaCry, wrapped up into a new ransomware variant that does much more than the original Petya strain.<\/p>\n

\n

What malware techniques does PetyaWrap combine?<\/strong><\/p>\n

Like WannaCry, PetyaWrap is a computer worm, meaning that it can spread by itself.<\/p>\n

PetyaWrap can copy itself round your network, and then automatically launch those new copies without waiting for users to read emails, open attachments or download files via web links.<\/p>\n

Like the GoldenEye ransomware, PetyaWrap encrypts your data files in such a way that only the attackers know the decryption key, so you can\u2019t unscramble the files without their help.<\/p>\n

As if that weren\u2019t enough, after spreading and scrambling your data, PetyaWrap does the same as the original Petya malware \u2013 it scrambles your disk down at the sector level, so that you can\u2019t access your C: drive at all, even if you plug the disk into another computer.<\/p>\n

\n

How does PetyaWrap spread across my network?<\/strong><\/p>\n

Firstly, it borrows from WannaCry by trying to exploit a pair of critical Windows security holes that were stolen from the US National Security Agency (NSA) and leaked by a hacking crew called Shadow Brokers. (The main vulnerability used is commonly known by its original NSA name: ETERNALBLUE.)<\/p>\n

If you are patched against WannaCry \u2013 Microsoft issued patches that prevented the attack well before WannaCry came out \u2013 then you are patched against this part of PetyaWrap.<\/p>\n

Secondly, it tries to spread using a popular Windows remote execution tool called PsExec \u2013 PetyaWrap has a copy of the PsExec software embedded inside it, so it doesn\u2019t need to download it first.<\/p>\n

PsExec is part of Microsoft\u2019s own Sysinternals suite, commonly misused by cybercriminals as a convenient way of moving around inside a network after they\u2019ve got in from the outside.<\/p>\n

Note that the PsExec trick won\u2019t work if the infected computer doesn\u2019t have enough account privilege to run commands on the target it\u2019s attacking \u2013 a good reason not to use Administrator accounts all the time, no matter how convenient it might be for IT staff.<\/p>\n

Thirdly, PetyaWrap snoops around in memory looking for passwords that will boost its access privileges and give it administrative access to other computers on the network.<\/p>\n

This password snooping is done using a modified copy of a password-grabbing tool called LSADUMP from the Mimikatz toolkit \u2013 as with PsExec, this hacking tool is embedded into the PetyaWrap program, so it doesn\u2019t need to be downloaded first.<\/p>\n

\n

Is patching against WannaCry enough to be safe?<\/strong><\/p>\n

No. As explained above, PetyaWrap has three spreading tricks, of which the WannaCry technique is the first one it tries.<\/p>\n

If the WannaCry hole is closed, PetyaWrap tries PsExec; if that doesn\u2019t work, it tries LSADUMP and the Windows Management Interface to \u201cmanage\u201d your network to your considerable disadvantage.<\/p>\n

Treat the WannaCry patches as necessary but not sufficient.<\/p>\n

\n

Will I get my data back if I pay the ransom?<\/strong><\/p>\n

We doubt it. In fact, the email address by which you are supposed to contact the crooks has been suspended, so it\u2019s unlikely you\u2019ll be able to do a deal with them even if you wanted to.<\/p>\n

\n

Can PetyaWrap spread across the internet, like WannaCry?<\/strong><\/p>\n

No. And yes. WannaCry had two spreading functions that ran in parallel: one scoured your LAN trying to spread locally; the other went out looking randomly for new victims on the internet.<\/p>\n

PetyaWrap doesn\u2019t explicitly try to find new victims out on the internet, but sticks to your LAN, perhaps in the hope of drawing less attention to itself.<\/p>\n

Unfortunately, LANs (short for Local Area Networks) often aren\u2019t truly local any more, often including outlying offices and remote workers, including contractors.<\/p>\n

Of course, some of those remote computers may be part of more than one LAN, meaning that they can act as a \u201cbridge\u201d between two networks, even if they belong to completely different organisations.<\/p>\n

In other words, for all that PetyaWrap isn\u2019t programmed to spread purposefully across the internet, it also isn\u2019t programmed to avoid jumping onto someone else\u2019s network if there\u2019s an interconnection.<\/p>\n

Importantly, PetyaWrap uses the networking tools built into Windows for its signposts on where to try next \u2013 so if you can browse to a partner company\u2019s servers from your computer, or click through to your home computers from work\u2026then PetyaWrap can do the same.<\/p>\n

\n

How did the PetyaWrap outbreak get started?<\/strong><\/p>\n

Early on in the outbreak, fingers were pointed at a Ukrainian software company that produces tax accounting software, suggesting that a hack of the company\u2019s update servers may have given the crooks a window of opportunity to push out an initial wave of infections.<\/p>\n

Microsoft now claims to have evidence that a hacked version of the company\u2019s autoupdate program might have been connected to an early PetyaWrap outbreak.<\/p>\n

\n

What should I do next?<\/strong><\/p>\n

Ransomware like PetyaWrap can do plenty of damage even if you limit it to a regular user account, because most users have the right to read, write and modify their own files at will.<\/p>\n

But any malware, especially a network worm like PetyaWrap, is much more dangerous if it can get administrator-level privileges instead.<\/p>\n

So, even if you weren\u2019t touched by the PetyaWrap outbreak, why not use it as the impetus for looking at who in your own network is allowed to do what, and where they\u2019re allowed to do it?<\/p>\n

Here are some things to try:<\/p>\n