Hello everyone, I am back here with my new post related to the recent going on ransomware which is effecting the entire world deadly. On last Tuesday (27 June), a tremendous ransomware attack hit victims almost in 25 different countries in it's starting phase, whose name is Petya ransomware.
Basically this ransomware started from Europe and later spread in other countries including India.This ransomware attack is the second one in recent time which affected a huge number of computers all over the globe. The name of this ransomware came from the previous one due to the same behavior which was found in the last year one's. The ransomware of last year encrypts a hard drive's index page and then overwrites the booting software. According to the researchers, it's tough to anticipate about the newly arrived ransomware. But here is some of the glimpse that how it affect? How it spreads and all that stuff.
Let us talk about that who has been affected of this new Petya ransomware across the world. So, according to the several reports from different researchers, it was firstly passed via an update which was for an accounting software named MeDoc, in Ukrain, by using a bogus digital signature. Whereas the company has discredited the claims from the researchers. But some of the senior researchers from the Kaspersky and Talos intelligence including Ukrainian cyberpolice, have proves the findings.
In Ukraain thee are two accounting programs and MeDoc is one of that approved one by the government among those two. Petya ransomware infected the system of Ukrain's national bank, the state power company and one of the largest airport Kiev's Borispol Airport. The ransomware is much powerful that it has also damaged the Chernobyl nuclear power plant. A part from Ukrain there are many other countries worldwide which are affected due to Petya ransomware are Danish, Britain, Russia, France, US, Germany, India, Dutch,etc. In India, the Petya ransomware, blocked work of one of the largest container port, Jawaharlal Nehru Port(JNPT) off the east coast of Mumbai. The main reason why the Petya infected this port's working is because of the Maersk's office which is located in the Netherlands and that office is infected due to Petya ransomware.
Now, I would like to differentiate between the WannaCry ransomware ans the Petya ransomware here. Petya is also dependent on thee exploit named EternalBlue which was leaked by the NSA and it was used by the WannaCry ransomware. After the WannaCry ransomware attack, Microsoft published a patch for affected Windowss versions, but in the business world it takes some time to install updates due to the fear of braking amity with actual or previous software. That's the main reason why the attackers are targeting the organizations on a large scale instead of affecting individual users first. The worst thing about the Petya ransomware is that it doesn't have any kill switch in order to stop it. According to the MalwareTech, who discovered the kill switch of WannaCry said that Petya is framed in such a way that it spreads only on the same local network rather then spreading all over the Internet like WannaCry.
All these were about how it spreads and where did it spread? Now let me explain you that how Petya works?
Apart from using a altered version of EternalBlue exploit, this ransomware uses two different Windows system utilities to move or spread inside a network. They are known as Psexec and the Windows Management Instrumentation (WMI). These two allows he Petya to gain remotely access to the local computers which are linked on the local network. According to the Kaspersky, to capture the credentials for spreading, the ransomware uses custom tools, a la a Mimikatz. "These extract credentials from the lsass.exe process. After extraction, credentials are passed tp PsExec tools or WMIC for distribution inside a network" added by Kaspersky.
After this, if it infects a computer once, Petya will wait for 20 minutes to 1 hour and then it reboots the infected computer with an expected task. Over reboot, it encrypts thee Master File Table (the hard drive's index) and after t hat it overwrites the Master Boot Record. After gaining the complete access of a computer, it then also displays a note requesting ransom from the user in order to regain the access to the system including the steps about how the user pays ransom. As this whole process will infect only one computer, but after this Petya will get the list of the connected computers over the same network and then it will checks two TCP ports 139 & 445 of those computer whether it is open or not. If they are open then it will result in to infecting those computer by the same way I explained above.
Till now it is not known that who is behind this huge ransomware attack except having an email adrresss("wowsmith123456@posteo.net"). As per thee ransom note displayed on thee screen while starting the system, it is asking for the amount of $300 ( approx. Rs. 19,300) in Bitcoin. After the payment, the user must have to send the conformation of payment to an email address which is given above. And then the hackers will send the decryption key to the user.
Let us now discuss about some of the precautionary steps that every individual should take in order to keep themselves safe from this attack. Firstly, the user should ensure that he/she is using the latest and updated version of the Windows. For the organizations, the most important advice is to disable the PsExec and WMI, and apply the latest Microsoft patch to all the systems connected to a local network of it. If in case, you find yourself on the ransom note screen, you can not do anything unfortunately as the attackers' email address is now invalid. All you need to do is to format your hard drive, and install a fresh and latest version of Windows.
That's all for today, Thank you. For more updates you can follow us here,
Facebook: CLICK HERE!!!!!!!!!!
Comments
Post a Comment