A possible new variant of Petya Ransomware is on a large scale cyber attack causing chaos worldwide, shutting down computers at corporations, power suppliers, and banks across Russia, Ukraine, Spain, France, UK, India and Europe demanding $300 in bitcoins.
Petya is different from other recent popular ransomware variants. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. The affected system’s Master Boot Record is overwritten by a custom malicious boot loader that loads a tiny malicious kernel. Then this kernel proceeds with further encryption. Although it is believed that it encrypts the whole disk, it actually encrypts the master file table (MFT) so that the file system is not readable.
Although not yet reversed and analyzed, according to multiple sources, this new possible variant of Petya ransomware, also known as Petwrap, is spreading rapidly exploiting the same Windows SMBv1 vulnerability WannaCry ransomware exploited to infect its victims and one of the ways the virus spread was the Eternal Blue Tool (allegedly developed by US National Security Agency – NSA) among others (phishing and spam mails etc).
Petya ransomware has already infected Russian state-owned oil giant Rosneft, Ukranian state electricity suppliers, National Bank of Ukraine, Britain’s WPP, shipping giant Maersk and other major firms, airports and government departments across Europe.
How does it look like?
Once your computer is infected, the virus imitates Windows’ CHKDSK process (for filesystem repair tasks) and claims it is repairing your disk. That’s when Petya does the dirty work. After this, it displays the following message: “If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
As Petya does not encrypt every single file, but the master file table, it’s much faster on reaching the ransom screen than WannaCry.
A very interesting, and also very disturbing fact, is that only 16 out of 61 antivirus solutions were able to detect Petya at the time of the outburst, according to Virus Total.
How to prevent it
As usually, users who were loyal at updating their systems were less prone to infection. Always update your software with the latest available patches, and never open files you are unsure about their origin or content!