Petya Ransomware is the latest in the realm of ransomware attacks. According to recent reports, it is believed to be more dangerous than the WannaCry ransomware as it comes with much stronger encryption. Unlike WannaCry, Petya doesn’t just encrypt data for a ransom. It hijacks and renders computers entirely inaccessible with the encryption of their Master Boot Record (MBR).
The initial Petya ransomware released in March 2016. However, a new Petya variant released in June 2017, has so far affected organizations in over 65 countries across the world. In fact, the new Petya variant is not exactly ransomware. Instead, it’s wiper malware disguised as ransomware to destroy data and corrupt systems.
Similarities:
WannaCry and the recent Petya ransomware variant both targeted only systems running the Windows OS. In addition, they both took advantage of an Server Message Block vulnerability to rapidly take ove a network, using EternalBlue exploit. The use of this exploit provided both types of malware with worm capabilities, helping attackers maximize the damage.
Differences:
It should be noted though, the WannaCry and this Petya variant have more differences than similarities, the Petya variant was far more destructive.
-
- Vulnerabilities exploited: In addition to using EternalBlue, the Petya variant also included the EternalRomance vulnerability, causing remote privilege escalation on some Windows versions. Though it was patched by Microsoft 17-010, it did not protect victims from the Petya variant.
-
- Patch immunity: With WannaCry, systems that were up to date with the latest patches were protected. Unlike the Petya variant, WannaCry required EternalBlue and failed if the vulnerability had been remediated. Individuals and organizations with systems that had applied all the relevant patches were still able to be infected with the Petya malware.
-
- Malware execution without connection: After the initial infection, WannaCry malware asked for a connection with the attacker’s Command and Control server before it could execute. However, The Petya variant was able to execute, spread and encrypt without connecting out to the Command and Control server.
-
- Lateral movement: Though both types of malware attempted to spread using an SMB vulnerability, the Petya variant did not neccesarily need the it to spread. The Petya variant was still able to access credentials from the infected system by accessing other systems on the network with PsExec and WMIC .
-
- Encryption: WannaCry encrypted data files on infected machines using asymmetric RSA 2048-bit encryption. But the Petya variant encrypted also encrypted and corrupted the Master File Table and Master Boot Record. The encryption was done with a private key that was randomly generated, and the attackers had no way of knowing what that key was even if a ransom was paid.
It is evident that though a bit similar, these ransomwares had very different intents. The intent of WannaCry was purely financial gain. Victims were made to lose data if they did not have recent backups and were not willing to pay the ransom.
In the case of this Petya variant, the intention was to cause wide scale system destruction and disrupt operations in organizations. The corruption of the MBR and MFT made it very difficult to recover data on infected systems.
