Home » Tech » Petya Ransomware Attack : Another Powerful Ransomware
Tech

Petya Ransomware Attack : Another Powerful Ransomware

author
Published By Nilesh
Aswin Vijayan
Approved By Aswin Vijayan
Published On July 4th, 2017
Reading Time 5 Minutes Reading

Horror! The Petya Ransomware Attack is another threat for organizations after WannaCry. It has already struck systems in more than 60 countries. There are many companies in US and Europe, which are crippled by this malicious software. It is the second key global ransomware cyber attacks in the past 2 months.

Petya Ransomware Attack

Petya Ransomware Attack

It is dissimilar as compared to the other malicious software spreading these days. It does not encrypt the file one by one, but denies access to the entire machine by targeting low-level structures on disk. The creators of this malware have bring forth their boot loader with a small kernel that is 32 sectors elongated.

Petya Cyber Attack : First Place of Identification:

Ukraine is the first place, where approximately 12,500 systems encountered this malicious program, declared by Microsoft. After this, it is observed in other 64 countries. These countries include Brazil, Germany, Belgium, Russia, and the United States.

Why it is called Petya Ransomware Attack?

The malware seems to share a major quantity of code with the older piece of ransomware, which was called Petya. However, after some hour of its outbreak researchers noticed that the resemblance is skin deep only. The security researchers at Russia redubbed it as NotPetya & increasingly tongue-in-cheek alternate of that name: Pneytna, Petna, and etc. began to spread. So the name Petya Ransomware Attack is given.

How Does Petya Spreads and Works?

Petya ransomware virus expand through large firms. It results in the encrypted systems and data. Later, to decrypt the data a certain amount of ransom is required.
This Ransomware Cyber Attacks takes the control over machines and then demands for $300, paid in Bitcoin. It extends quickly across a company after one system gets infected with the help of EternalBlue vulnerability in MS Windows. Moreover, it can also spread via two MS Windows administrative tools. It attempts the first option and in case of failure move towards the next. In addition, the system may get shutdown at the time of attack. Apart from the file encryption, it also overwrites and encrypt MBR (Master boot record).

File Encryption of Petya Ransomware Attack:

Petya Cyber Attack performs the encryption in two modes manners:

  • User Mode: Once the Petya virus is spread to multiple computers, the user-mode encryption happens, where only the specific extension files are encrypted on the disk.
  • Full Disk: The MBR has been changed for adding custom loader that is helpful for loading CHKDSK. This stimulator helps in hiding the fact that the disk encryption is happening. It occurs once the user mode encryption is done.

Stages of Data Encryption of Petya Ransomware Attack.

  • Stage 0: MBR Overwrite- Overwrite hard-drive’s Master Boot Record & inserting custom boot-loader.
  • Stage 1: MFT Encryption- The Usage of custom boot-loader it is introduced in stage 0 for the encryption of all Master File Table. This renders the file of the system entirely unreadable.
  • Stage 2: Ransom Demand- Shows the logo of Petya and a ransom note displaying what must the user do for the decryption of the hard-drive.

Actions to Prevent System from Petya Ransomware Attack

Petya Ransomware Attacks

These are some actions, which may help in the prevention of Petya Ransomware Virus as mentioned below:

  • Block source E-mail address:-
    wowsmith123456@posteo.net
  • Block domains:-
    • http://mischapuk6hyrn72.onion/
    • http://petya3sen7dyko2n.onion/
    • http://petya3sen7dyko2n.onion/MZ2MMJ
    • http://petya3jxfp2f7g3i.onion/
    • http://french-cooking.com/
    • http://mischa5xyix2mrhd.onion/MZ2MMJ
    • http://petya3jxfp2f7g3i.onion/MZ2MMJ
    • http://mischapuk6hyrn72.onion/MZ2MMJ
  • Block IP address:-
    • 95.141.115.108
    • 84.200.16.242
    • 111.90.139.247
    • 185.165.29.78
  • Disable SMBv1
  • Update Anti-Virus hashes
    • a809a63bc5e31670ff117d838522dec433f74bee
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d
    • bec678164cedea578a7aff4589018fa41551c27f
    • 51eafbb626103765d3aedfd098b94d0e77de1196
  • Disable WMIC i.e. Windows Management Instrumentation Command-line, which is based on https://msdn.microsoft.com/en-us/library/aa826517(v=vs.85).aspx
  • Be cautious of unwanted or irrelevant URLs and the attachments you receive through an email because Petya Ransomware Virus is very dangerous.
  • It is always recommended to take the backup of the data regularly
  • Retain the least confidential access with the employees
  • Keep the control on who can access Admin portal easily so can avoid Petya Cyber Attack

Conclusion

With the increasing usage of internet or digital things, these kinds of ransomware cyber attacks are also increasing. The creators of malicious software are getting more innovative to encrypt the system files and crucial data. One such new harmful application is Petya ransomware Attack. Just like other malware, it locks the computer and makes the files locked. However, this malicious software comes up with a better mechanism to spread itself than WannaCry.