A slightly new strain of malware, dubbed “Petya”, has been making its rounds on the internet recently and it has even hit close to home here in Pittsburgh. Some researchers have named it Petya as they believe it resembled a previous ransomware strain. Other firms, such as Kaspersky Lab beg to differ and have cleverly named the malware “NotPetya”.
Regardless of the name, this malware is exploiting the same Windows vulnerability that the prolific WannaCry malware strain used. One of the major differences of this new strain of malware is that it appears to be more destructive in nature, which is different than the extortionist nature of the WannaCry strain. The reason why it appears to be more destructive (intentionally or not) is the fact that the payment mechanisms (to retrieve the de-encryption key) have not been carefully organized; this leads security researchers to believe that the purveyor of this malware was either inexperienced or had destruction in mind rather than payment. In fact, as of this writing, the single email address that is displayed by the ransomware and was used to communicate with the hackers to transfer ransom for the decryption key, has been shut down by the provider. This means that there is no longer any way for people to contact the attacker for a decryption key to unlock their computer.
The flaw that this ransomware is exploiting is an issue with Version 1 of Microsoft’s File Sharing service, SMB (Server Message Block). The fix is outlined here. If you have systems using SMBv1, you also may have deeper issues within your network, as this is a vastly outdated protocol. This patch was released in March, well before both of these attacks occurred, which highlights the need for effective patch management processes.
This is what an infected machine looks like: