Last week, another massive cyber attack hit companies across the world. The infection began in Ukraine – taking down computer systems in banks, power companies and Kiev’s main airport – but has spread to thousands of organisations, including Danish transport firm Maersk, French construction materials company Saint-Gobain, Irish pharmaceutical company MSD and Spanish food giant Mondelez.
The malware responsible was first thought to be Petya, but Kaspersky Lab says that, although the virus closely resembles Petya, it is “a new ransomware that has not been seen before”. As a result, many security researchers have dubbed it NotPetya.
What is Petya/NotPetya?
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Windows operating systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, and demanding a bitcoin payment in order to regain access to the system.
Variants of Petya were identified in May last year, and propagated via infected email attachments. The NotPetya variant first appeared on 27 June this year, but as we reported last week, this variant of NotPetya isn’t technically ransomware – it’s a wiper. In other words, even if you pay the ransom, your data can’t be recovered.
NotPetya takes advantage of the same Server Message Block (SMB) exploit – EternalBlue – that’s used by WannaCry, and it can also spread via another SMB exploit leaked by the Shadow Brokers – EternalRomance. Microsoft has confirmed that patches for both vulnerabilities are available.
How does NotPetya differ from WannaCry?
As with WannaCry, NotPetya has a wormable component that allows it to spread laterally around connected networks. However, it’s method differs from WannaCry in a number of ways. It uses a payload that infects the computer’s master boot record, overwriting the Windows bootloader, which then triggers a restart. When the computer reboots, the payload is executed – it encrypts the master file table (MFT) of the NTFS file system, and then displays the ransomware message. While this is happening, a simulation of the output of CHKDSK, the Windows file system scanner, is displayed on-screen, suggesting that the hard drive is actually being repaired.
According to Nick Bilogorskiy, senior director of threat operations at Cyphort, NotPetya also differs from WannaCry in that:
- NotPetya is initially distributed over email – specifically, a malicious link sent from an unknown address.
- NotPetya does not try to encrypt individual files. Instead, it encrypts the master file table.
- It has a fake Microsoft digital signature appended, copied from Sysinternals.
- NotPetya also appears to be able to spread laterally using Windows Management Instrumentation (WMI).
- Some payloads include a variant of Loki Bot, a piece of malware designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from web browsers, and a variety of cryptocurrency wallets.
Sign up for The Daily Sentinel for updates on this story and all the latest cyber security news and advice.
notpetya does it infect files or only the boot record and the table of contents?
Here is written it does not encrypt individual files, but does the virus infect the individual file.
When you have the virus (prefc fine in c:\windows) is it save to copy files to anUSB stick and are these save to use.
It does not encrypt individual files, no. If you want more information on the way NotPetya works, we’d recommend the analysis The Register did last week. It says:
“If successful, the ransomware encrypts the master file table in NTFS partitions and overwrites the master boot record with a customized loader. On boot up, this displays the ransom note asking for $300 in Bitcoin and requests the victim send the Bitcoin details to the aforementioned now-defunct email address.
“The software also encrypts individual files on the PC as well, using 128-bit AES and then encrypts the AES key with a public 2048-bit RSA key. The encrypted key is saved into a README file.”
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware
In answer to your other question, if your computer is infected with NotPetya, you wouldn’t be able to access your files in order to copy them to a USB stick. This is why you should always have backups.