On Tuesday, June 27, a massive cyber-attack hit Ukraine, then rapidly spread across the globe.
Petya, a modified version of a previously known ransomware, locked down computer systems and demanded ransom payments from hundreds of organizations around the world, including the shipping giant Maersk, advertising holding company WPP, pharmaceutical company Merck & Co., and the Chernobyl nuclear reactor. According to Microsoft, the malware infected about 12,500 machines in 64 countries. The top five countries affected by the attack are Ukraine, Russia, France, the UK and the United States.
Petya is a “worm” that can self-propagate. It works by first penetrating and then encrypting a computer’s hard disk, then locking out all users and demanding a ransom in exchange for unlocking it. At first glance, Petya appears to be similar to the WannaCrypt ransomware attack that was unleashed in May.
However, upon closer inspection, security experts now believe that Petya was purposely created to resemble ransomware, but is actually a wiper, which is designed to destroy all records in a system. After infecting a machine, Petya spreads across the entire local network, infecting all PCs in a system. But unlike vast ransomware campaigns designed to illicit as much money as possible, Petya doesn’t propagate outside the local network it infects, making it ideal for specific, targeted attacks. Despite infecting thousands of computers, Petya has generated just over $10,000 for the hackers, leading security experts to believe that Petya is in fact a Russian state-sponsored attack on Ukraine disguised as a ransomware attack.
Over the last few years, Russia has been implicated in several high-profile cyber-attacks on Ukraine. According to security firm Eset, over 75% of Petya infections are located in Ukraine alone. Matt Suiche, founder of Comae Technologies, stated that “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker.”
On Tuesday evening, security researcher Amit Serper of Boston-based Cybereason discovered a method of fixing the infection by simply changing a single file name. Users can create a file called Perfc in the C:\Windows directory (without the file extension DLL that the malware contains). This will trick the malware into shutting down. Amit warned, however, that this is only a temporary fix; large-scale malware attacks often come in several waves, and hackers can easily render the fix ineffective by changing the file names.
There remains no hard evidence that the attack was ordered directly by the Kremlin.
Check out this content brief from Aberdeen, It’s About Time: A Case in Threat Detection and Incident Response, to make sure your organization is as prepared as it can be in the inevitable event of a cyber-attack.