Table of Contents
Introduction to Petya Ransomware
Petya ransomware, the predecessor to NotPetya, initiates its attack largely via malicious spam emails sent with Dropbox download links. The primary targets of these attacks are generally Human Resources (HR) departments within German companies. The ransomware encrypts sections of the victims' hard drive, subsequently holding the data ransom until the stipulated Bitcoin payment is made.
Petya/NotPetya ransomware first emerged in 2016. While it was initially named Petya due to its resemblance to an earlier ransomware strain, it was later discovered that the variant responsible for a large-scale attack in June 2017 was a modified version, hence the name NotPetya.
Brief History of Petya Ransomware
The original Petya ransomware was first identified in March 2016. It spread through malicious email attachments and infected computers using exploit kits and other vulnerabilities. Petya utilized strong encryption to lock victims' computers and demanded a ransom in Bitcoin in exchange for the decryption key.
NotPetya Outbreak
June 2017: In June 2017, a more devastating strain of Petya emerged, which was later identified as NotPetya. It initially targeted Ukraine and quickly spread to other countries worldwide. It exploited the same EternalBlue exploit used in the WannaCry ransomware attack just a few weeks earlier.
Targeted Industries
Petya/NotPetya primarily targeted businesses and organizations, particularly in Ukraine, including government agencies, banks, power companies, and transportation sectors. However, it quickly spread globally, affecting major companies and organizations in other countries as well.
Wiper Malware Disguised as Ransomware?
Petya/NotPetya appeared to be ransomware, displaying a ransom note demanding a Bitcoin payment for decryption. However, analysis later revealed that it was more likely a wiper malware, designed to cause destruction rather than generate ransom income. The encryption process was poorly implemented, making data recovery impossible.
Attribution to Russia
While the initial infection vector and the exact perpetrators remain unclear, several cybersecurity experts and intelligence agencies attributed the Petya/NotPetya attack to Russian state-sponsored actors. The attack coincided with ongoing tensions between Ukraine and Russia, and Ukraine was the hardest-hit country.
Global Impact
Petya/NotPetya caused significant disruptions globally, affecting businesses, shipping companies, airports, and government entities. Companies like Maersk, Merck, and FedEx were among the high-profile victims, experiencing massive operational and financial losses.
Cost of the Attack
The Petya/NotPetya attack is estimated to have caused billions of dollars in damages worldwide, making it one of the most financially damaging cyberattacks in history.
Due to its highly destructive nature and the attribution to state-sponsored actors, the Petya/NotPetya attack underscored the potential risks and consequences of cyber warfare and raised concerns about the increasing sophistication and scale of ransomware attacks.
Petya’s System Infiltration and Encryption Process
The Petya ransomware's infiltration starts with the replacement of the Master Boot Record (MBR) with a malicious loader. This attack is often unnoticed as the ransomware initiates a computer restart, masking its true purpose. As the computer restarts, Petya begins the encryption process under the disguise of a system check (CHKDSK). Eventually, the Master File Table (MFT) is corrupted, rendering files inaccessible. The user is then greeted with a sinister skull image, signifying a successful infiltration, followed by a lock screen displaying the ransom message, instructions, and payment details.
Comparison with Other Ransomware-Type Viruses
Not unlike other serious ransomware viruses such as Locky, TeslaCrypt, Converton, Rokku, and Maktub, Petya encrypts files and demands a ransom to decrypt them. The average ransom payments commonly range between $300 - $500 worth in Bitcoin. The distribution methods of these viruses also tend to be through spam emails, malicious software, or compromised websites. Their prevalence and success highlight the absolute necessity for strong computer and software security measures.
Research Updates and Preventative Measures
Researchers, in an effort to combat Petya, have made significant progress. Malwarebytes researchers, for example, developed a decryption tool using a master key that was publicly released. Furthermore, a tool by leostone was created to decrypt compromised files. Over time, Petya evolved to include a secondary ransomware known as "Mischa". This evolution once again emphasized the importance of careful administrative rights management, particularly when executing email attachments as it could lead to opening a gate for these malevolent ransomware.
