Ransomware remains a formidable threat for individual users and businesses alike, particularly as new sample families continue to be discovered by security researchers. What makes ransomware so dangerous is the fact that victims are denied access to their most important files and data - a problem that could potentially topple an enterprise if not dealt with quickly.
Making matters worse, even if attackers are paid the ransom, there's no guarantee that decryption will be lifted and access restored - in some cases, files simply remain locked away as hackers make off with their payment. In other instances, hackers will ask for a second, higher ransom after victims pay the first.
One of the first steps in guarding against ransomware infections is remaining in-the-know about emerging threats and attack styles. Recently, WannaCry or WannaCrypt grabbed headlines as the next big thing in ransomware attacks. Now, a new threat has come to the surface: Petya.
Like most traditional ransomware samples, Petya provides hackers with the ability to encrypt victims' system files, preventing access until a ransom amount is paid. Trend Micro detects Petya as RANSOM_PETYA.SMA, and researchers noted that while it is similar to other ransomware infections, there are a few elements that make Petya unique:
Petya represents an evolution in ransomware technology.
Petya first garnered more recent attention in June 2017 when security researchers and investigators discovered that it was responsible for several large-scale attacks in Ukraine. According to New York Times contributors Nicole Perlroth, Mark Scott and Sheera Frenkel, the incident has been dubbed "an international cyberattack," and impacted a number of organizations in the country and elsewhere. There seemed to be little connection between infection victims, and the scope of the attack was considerably worrisome.
"In Kiev, the capital of Ukraine, A.T.M.s stopped working. About 80 miles away, workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed," Perlroth, Scott and Frenkel wrote. "And tech managers at companies around the world -- from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States -- were scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected."
From there, the attack continued to spread to other businesses and and government agencies in Ukraine, and then to organizations in other countries. As ZDNet contributor Zack Whittaker noted, it's still unclear who perpetrated the attack, and while some are quick to point to "nation state" attackers, it's wise to hold off on these suspicions until there is evidence to support them.
"It's easy to want to assume that this could be a nation state attack, given that blame is usually pointed at Russia for major cyberattacks or political meddling," Whittaker wrote. "But there's no evidence at this time to suggest a government is behind the attack."
While investigators are still searching for those responsible, this pursuit could be difficult - but not impossible - due to the sheer size and number of victims involved in the rash of Petya infections. The New York Times noted that after initial attacks against organizations in Ukraine, other institutions outside of that country reported infections, including a Russian oil company, global shipping container company A.P. Moller-Maersk, French construction materials company Saint-Gobain, British marketing firm WWP and German railway company Deutsche Bahn.
Petya also affected organizations based in the U.S., or with American locations, including:
DLA Piper, in particular, warned its clients from its Australian offices that it was dealing with a "serious global cyber incident," and was shutting down its email as a precaution.
According to Microsoft, before the end of June, Petya had spread to 65 countries total, including in Belgium and Brazil, impacting more than 12,500 machines.
The case of Petya continues to get more interesting, as ZDNet reported that the email included in the sample's ransom message had been blocked by the provider supporting it. This means that victims don't actually have a place to send the $300 bitcoin ransom even if they wanted to - and those that did "wasted their money," according to Whittaker.
Posteo, the email provider in question, noted that the account tied to Petya's ransom message was blocked about two hours after initial attacks began. The company noted that it would "not tolerate the misuse of our platform."
"The immediate blocking of misused email accounts is the necessary approach by providers in such cases," Posteo said in a statement.
While Petya is surely a powerful threat, there are best practices users and enterprises can take to protect against it, including:
To find out more about Petya and how you can guard against advanced ransomware within your organization, contact the experts at Trend Micro today.