The seemingly constant barrage of bad cybersecurity news addedanother name, Petya ransomware attack, which first targeted Ukrainebusinesses, before leading to some 2,000 outbreaks in at least 64countries.

Petya's successful marks included the Ukraine's central bank,main international airport and even the Chernobyl nuclear facility.The infection, compared to the recent WannaCry attack, scatteredquickly worldwide to hit major companies including the Danishshipping firm Maersk, the pharmaceutical company Merck, aPittsburgh-area hospital, and a U.S. law firm, among other targets.Additionally, infections occurred in isolated devices likepoint-of-sale terminals and ATMs.

Initial reports submit the outburst stems from a modifiedversion of Petya ransomware. This superbug merges the maliciousGoldenEye, which can encrypt entire hard drives, with the identicalEternalBlue Windows flaw that WannaCry exploited to hit 300,000 computers around the world.

“This appears to be another ransomware attack, this time usingthe Petya malware, similar to the recent WannaCry ransomwareattack. However, Petya differs by attacking the whole file systemat a very low level rather than file-by-file.” Morey Haber, VP oftechnology at Phoenix-based security company BeyondTrust, pointedout in a blog.

Haber explained the modified ransomware payload contains newtraits:

• It spreads through malicious office attachments and email.“This gets through the front door and onto any target system thatcan be exploited via social engineering.”
• Once installed, the malware looks for other systems to exploitusing EternalBlue.
• Petya malware also scraped memory and the file system forpasswords and execute “psexec” against remote targets to propagatethe infection. This compromises hosts, even if patched forEternalBlue, and leverage administrator credentials it discoversduring its interrogation of the system.
• Encryption is at a low level using the master file tree tablesfor the new technology file system and overwrites the master bootrecord with a ransomware warning.

“It's important to note that this is not Petya. It is a variantmodeled after it that has stolen the methods Petya used,” YonathanKlijnsma, threat researcher for San Francisco-based RiskIQ.Klijnsma noted the payment component of the attack doesn't seemlike it functions or scale well, meaning the actors involved mayseek to create mayhem and destruction rather than money.

Klijnsma noticed another interesting attack aspect. “Theintended victims are rather different from Petya or 'normal'ransomware. The targets are enterprises, not individual privateusers.”

In addition, it seems most likely that the initial distributionmethod of this ransomware was the auto-update functionality ofUkrainian company MeDoc. “It seems the update server was, in someway, compromised to push a malicious update: the ransomware…insteadof a software update.” Klijnsma said. Petya uses not only servermessage block exploits, but also tries credential reuse from theinfected machine into others on the network. “This means that ifthe domain administrator starts the ransomware, his or her entiredomain may be affected, and the ransomware will have full rightseverywhere depending on how the domain restrictions are setup.”

Kirk Soluk, manager of ASERT's Threat Intelligence and ResponseTeam at Burlington, Mass.-based Arbor Networks, said. “Amidst thisdeluge of information (and misinformation), we wanted to make surethat the association of Petya with WannaCry did not obscure someimportant differences. The EternalBlue-based propagation mechanism,mitigated by patching MS17-010, is not the only method employed byPetya to spread. Another propagation method employed by Petya isnot thwarted by simply patching.”

Soluk clarified this point by explaining once Petya compromisesa machine, it begins hijacking local credentials from the WindowsLocal Security Authority. It then leverages those credentials toremotely attempt to compromise other systems on the localnetwork.

Petya aftershocks could lead to even more repercussions.Following WannaCry RiskIQ's mobile database found hundreds of appsclaiming to help defend mobile phones, even though mobile systemsare safe from its impact. Instead they preyed on unsuspecting usersby pushing adware, trojans, and other malware.