Is Petya Ransomware another Wannacry?
As we already know that recently in Some weeks ago, the WannaCry ransomware spread at a fast pace and infected millions of computers all across the world. Now, another ransomware is causing havoc around the world. The new attack has seen in Ukraine banks offline, resulting in the locking of computer systems in government offices and This ransomware attack has also affected the Chernobyl nuclear plant as well as Ukraine’s electricity supplier. It has also affected the Danish shipping company Maersk, Russian oil company Rosneft. Striking pharmaceutical companies, Chernobyl radiation detection systems, and, er, a chocolate factory.
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj— Ukraine / Україна (@Ukraine) June 27, 2017
According to the reports @ Kaspersky’s Costin Raiu, about 70% infections have been recorded in Ukraine, followed by 30% in Russian country. The other major countries which are affected by this Petya threat are USA, Poland, Germany, UK, and France.
The Petya ransomware is demanding $300 in form of Bitcoins, in which this malware is associated with it for decryption. So far, according to Kaspersky, 7 payments have been done with this ransomware. According to Symantec, the number of payments is now increased to 9.
Petya ransomware demands $300 in Bitcoins:
#ICYMI Status #ExPetr #NotPetya #Petya— Kaspersky Lab (@kaspersky) June 27, 2017
Report https://t.co/yh5y7WCcun Home user https://t.co/yddR7UCysa Biz Cust https://t.co/O10HBzoXZU pic.twitter.com/tddsVohv8E
How does the Ransomware spread?
Ransomware is coded to capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the file lsass.exe. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.
What does the Ransomware do?
This malware affects targets ur PC and it will wait for 10-60 minutes after the infection to reboot the system.Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.
What is Petya ransomware?
Kaspersky’s earlier report suggested that the new threat is a variant of the older Petya ransomware. However, the company later clarified that it’s an entirely new infection; that’s why they called it “NotPetya.”Avira and Symantec have confirmed that Petya is using the "Eternal Blue exploit", the tool just like WannaCry.