Maybe you still remember the WannaCry virus. Some hospitals and institutions in the world had been paralyzed because of this ransomware. This time there is another threat that is even worse than WannaCry and other ransomware, namely Petya.
What is Petya?
On June 27 more than 12500 computers in Ukraine infected Petya. This infection then spread rapidly to 64 other countries in the world, including Belgium, Brazil, Germany, Russia and America.
Actually Petya attacking this time is a new variant of ransomware Petya previous version (Ransom: Win32 / Petya) or Petya 2016. Only Petya found today (NotPetya / Petya 2017) have far more devastating effect than before. Even from the results of a deep analysis by Kaspersky and Comae, found that this time Petya is not Ransomware, but a Wiper.
What’s the Difference Petya with Ransomware?
Petya that attack this time is Wiper, not Ransomware. In essence, the purpose of a wiper is destructive, while the goal of ransomware is to earn money.
Why is it worse than Ordinary Ransomware?
Usually ransomware will encrypt the data so it breaks and can not be opened. Ransomware will then ask for a ransom, which if paid then the creator of ransomware will send a decryption key to restore the damaged data because it is encrypted. In addition, various security companies can often create a decryptor tool for the need to restore encrypted data again.
Petya 2016 is also still categorized as ransomware, because data damaged by MBR modifications can still be restored and returned again if the victim pays some money.
But Petya 2017 / NotPetya is not the case. The workings of Petya 2017 are not merely encrypting data, requiring ransom of money, and providing solutions to restore data. Petya this time created and modified with a clear purpose: destructive but not just looking for money.
Once infected, then Petya will directly modify the sector on the hard disk MBR. The first sector will be encoded and placed in sector 34. The problem is, 24 sectors after the first sector is deliberately overwritten, not read or stored anywhere. This makes the data of infected PC users permanently damaged, irrevocable, even if they already pay a ransom.
Again, this tool does not encrypt data directly, but encrypts the Master File Table (MFT) which contains the index and information of each file stored on the hard drive.
How to Spread of Petya Wiper?
Spread of Petya 2017 (NotPetya / Petya Wiper) is the strongest happening in the European region, especially Ukraine, where Medoc application is very popular there. Several parties claimed the hacker had infiltrated the Medoc application with the infection code Petya, although the Medoc itself stated their application is not ridden by hackers. Another cause of infection is from a pishing or scam email attachment, which opens in vain.
Once it infects the computer, then Petya will use various ways to spread to other computers on the same network. One of them uses a tweaked version of Mimikatz open-source to extract administrators account details via PC memory. Then use that detail to execute commands on another PC via PsExec and WMIC.
In addition, Petya also exploit the Windows exploit gap found by the NSA, namely EternalBlue to spread widely through the network. This gap exploits the SMB, and is the same gap as that used by WannaCry. Petya also uses other SMB exploits from NSA’s EternalRomance.
In addition to using Windows exploit NSA findings, Petya is also trying to gain admin access through various other means, such as tricking a user who logged in as admin executing email attachments containing malware, or forging malware as an app update requiring admin access. In addition, Petya also tried to spread themselves through various popular applications that they hijack.
Once infected and get admin privileges, Petya immediately modify and rewrite the MBR on the hard drive, so that the boot is running not Windows, but Petya with various messages ransom. But as WinPoin has pointed out above, even though the victim has already paid some ransom money, their data has actually been permanently damaged and can not be restored.
So That’s why Petya 2017 / NotPetya this is not Ransomware, but Wiper.