Is Petya deadlier than WannaCry?
In May 2017, malware outbreak such as WannaCry and Petya / NotPetya infected both enterprises and individuals across the globe. All data on the infected system were encrypted and the demanded ransom was $300 for the decryption key. Within a day, this outbreak was infected more than 230,000 computers/devices in over 150 countries (reference: Wikipedia). The majority of the notable infections were in US, UK, Russia, France, and Japan, and these can run in 27 different languages.
How it Occur?
The most common modus operandi chosen for this type of malware propagation was mainly via attacks such as phishing emails and Necurs botnet, and the victims were typically lured to download and execute the above-said ransomware on their system. This epidemic malware was also spread across by exploiting the public facing Windows machines with SMB (Server Message Block, a network file sharing protocol) port open.
WannaCry was gaining the access to target machines using the SMB exploit EternalBlue. Windows Operating Systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008 were affected by this exploit. HeapSpraying exploitation technique was used to inject shellcode into vulnerable systems allowing for the exploitation of the SMB vulnerability MS17-010 via port 445, which can be infected without user interaction.
Even there wasn’t much difference that Petya /NotPetya used to exploit the vulnerable system. These malware were spreading rapidly with the help of same Windows SMB v1 vulnerability that the WannaCry has exploited, however, the NotPetya has additional capabilities and is deadlier than WannaCry. NotPetya added tools for moving around and spread across the networks, and it does not have a kill switch, unlike WannaCry. NotPetya also has the capability to steal login credentials and can spread laterally.
- MS17-10 vulnerability
- Remote access to WMI (Windows Management Instrumentation)
- The malware also uses PSEXEC toolkit or some similar tool
- The malware clears system logs to make further analysis more difficult
Petya ransomware has its own difference when it’s compared with WannaCry. The payload leverages the local administrator access (SeDebugPrivilege) to overwrite the MBR (Master Boot Record) to a customer boot loader which results to create a fake chkdsk.exe – a partition repair screen; and then performs the encryption. AES-128 with RSA encryption is being used by Petya and loads an ASCII ransom note during the system boot, which demands a payment of $300. Initial stages, NotPetya was mistaken as Petya due to the identical similarities with Petya. NotPeya uses identical text and code, however, it uses a vastly different code with advanced malware functionality.
WannaCry exploits the potential vulnerabilities and facilitate the computer system access to hackers to encrypt all files, and then demands the ransom in exchange to unlock them. WannaCry has different variants or alias such as WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY, and it encrypts the files with the extensions .wnry, .wcry, .wncry and .wncrypt. The victim is then left with a pop-up countdown window and the instructions to how to pay 1781 bitcoins, which is equal to $300. If the ransom is not paid within 3 days, the amount will be doubled and threatens the victim that the data can’t be retrieved.
WannaCry samples make use of DOUBLEPULSAR, a persistent backdoor that is used to access and execute the codes on previously compromised systems. First, the malware uses ETERNALBLUE for initial exploitation leveraging the SMB vulnerability, and then implant the DOUBLEPULSAR backdoor to install the malware. Rumours claim that this backdoor attack code was leaked from the NSA (National Security Agency’s) in April 2017 by shadow brokers that infected unpatched systems worldwide.
How to vaccinate your computer against Petya?
Enable Windows Extension
Folder Options> Uncheck Hide extensions for known file type Option
- Goto C:\Windows\notepad.exe
- Make a copy of Notepad.exe
Select ‘Continue’ when the permissions box launches, and rename the ‘notepad – Copy.exe’ to perfc and make it as Read Only
- Go to perfc properties and check Read Only option and click OK
- Temporary or permanent loss of sensitive data
- Financial losses incurred to restore systems and files.
- Potential harm to an organization’s reputation
- Apply the Microsoft patch for the MS17-010 SMB vulnerability
- Block ports 139, 445 and 389 in the firewall.
- Make sure all your software’s are up-to-date including Antivirus.
- Enable a pop-up blocker while running your web browser
- Backup the files regularly.
- Scan all incoming and outgoing emails for executable files.
- Use anti-virus and anti-malware and initiate a regular check
- Disable all versions of SMB
- Only download software, especially free software – from sites you know and trust.
Courtesy: Wikipedia and Malwarebytes