Business Software Applications

Petya 2017 ransomware not looking for money but destruction

The Petya Or Not Petya ransomware that affected corporations throughout Europe and then later Americas was not looking for money but destruction.

Malware software is not something new. The last major attack was in May 2017, the WannaCry ransomware attack that exploit vector named EternalBlue infected more than 230,000 computers in over 150 countries, using 20 different languages to demand money from users using Bitcoin cryptocurrency.

WannaCrypt demanded US$300 per computer. The attackers gave their victims a 7-day deadline from the day their computers got infected, after which the encrypted files would be deleted.

The Petya Or Not Petya attacked was reported on June 27, and it seems to have started in Ukraine and from there spread to other countries and global companies.

The Petya Or Not Petya used several ways to propagate, and there was no kill switch, so organizations had to work in multiple forms to:

Step 1: contain the spread, this included basically turning OFF corporate intranet switches, disconnecting corporate systems like file sharing servers, subversion repositories, email servers, active directory servers.

Step 2: determine if user workstations are infected or not. Computers infected with Petya Or Not Petya displayed a screen asking for ransom. Basically: if you have the ransom request, you are infected and you cannot work with your workstation.

Step 3: put it place a remedy agent. For users that did not get infected, then corporations must deploy a vaccine to ensure those workstations do not get infected.

Step 4: Remedy all servers as network gets reestablished. Allow connection to the network, only for workstations that have the remedy agent.

Step 5: The most costly of all, replace infected workstations (hard drive) from back ups (if available)

Who is the most affected by this malware? Global corporations that maintain multiple offices, with multiple intranets, networks, servers. Global corporations using Microsoft, specially those use the active directory services with single sign on feature - as Petya Or Not Petya distributed itself via the active directory services that were not re-mediated with the latest WannaCrypt patches.

For more:
Turns Out New Petya is Not a Ransomware, It’s a Destructive Wiper Malware
Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry

Posted on July 14, 2017