TechViews News …..
By now most people have heard that there was another global cyberattack on Tuesday. Called, Petya, the new virus hit computers across Europe, India, Russia, South America, and the USA.
But according to Comae Technologies Founder Matt Suiche, the virus was designed to look like ransomware but was actually wiper malware that wipes computers outright, destroying all records from the targeted systems.
The Petya ransomware attacks that began infecting computers in several countries on Tuesday and demanded $300 ransom. However, the makers of this virus had no intention of restoring the computers at all.
Security experts even believe the real attack has been disguised to divert world’s attention from a state-sponsored attack on Ukraine to a malware outbreak.
“We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Suiche writes.
What does Petya do?
Petya, unlike other traditional ransomware, does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot.
However, this new variant of Petya does not keep a copy of replaced MBR leaving infected computers unbootable even if victims get the decryption keys.
Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.
Don’t Pay the Ransom because you are not getting your files back anyway.
Kaspersky researchers also agree.
“Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks,” the security firm said.
“To decrypt a victim’s disk threat actors need the installation ID. In previous versions of ‘similar’ ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery.”
However, it is still speculation, but the virus primarily and massively targeted multiple entities in Ukraine, including the country’s local metro, Kiev’s Boryspil airport, electricity supplier, the central bank, and the state telecom. Other countries infected by the Petya virus included Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.
Be Safe – Backup Your Data Regularly!
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.