NotPetya is a wiper disguised as Ransomware

So in the latest use of the EternalBlue exploit kit that has been released to the wild, there is a new Ransomware that follows in the footsteps of the WannaCry ransomware being dubbed PetyaWrap.  So far this ransomware has hit several large companies across the globe, including Merck Pharmaceuticals, Maersk Shipping, DLA Piper and more…  The main differences between this ransomware attack and WannaCry is that this one is encrypting at the file system level as opposed to the individual files, it is stealing usernames and passwords from the systems and so far, there appears to be no kill switch.


According to researchers at Recorded Future, Tuesday’s attacks appear to deliver two payloads. One is the new version of the Petya ransomware package. Tuesday’s version, which some researchers have started calling PetyaWrap, holds data hostage until users pay $300 in Bitcoins. The other payload is an information stealer that extracts usernames and passwords from victim computers and sends the data to a server controlled by the attackers. That would mean that while an infected computer has been rendered inoperable by the ransomware, the attackers would already have access to potentially high-value credentials that were stored on the machine.


Researchers with AV provider Eset said in a blog post that unlike many ransomware packages, PetyaWrap doesn’t encrypt individual files. Instead the encryption is aimed at a computer’s entire file system. The ransomware targets the computer’s master boot record, which is a crucial piece of data that allows a computer to locate its operating system and other key components.


Tuesday’s attack spread widely almost immediately. It initially took hold in Ukraine, but soon it reportedly spread to Spain, France, Russia, and the United States. WPP, the British ad company, said on Twitter that some of its IT systems were hit by a cyber attack. It’s website remained unreachable as this post was going live. Meanwhile, Reuters reported that Ukrainian state power distributor Ukrenergo said its IT system were also hit by a cyber attack but that the disruption had no impact on power supplies or broader operations.


Reports are coming fast and furious from multiple sources now, all reporting Petya’s virulent nature, with some people reporting that the ransomware has locked down hundreds of computers on the same network in a matter of minutes.


So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much.


A past version of the Petya ransomware was decryptable, but we cannot confirm or deny at this stage that this version is also crackable. In the past, the author of the Petya ransomware, a crook named Janus Secretary, has offered a combo of the Petya and Mischa ransomware variants via a Ransomware-as-a-Service (RaaS) portal.


While WannaCry was stopped by a “killswitch” mechanism, this Petya version doesn’t seem to be affected by such a weakness.



I guess this is a good welcome to the wild world of the future of exploits and not having your systems up to date with patches…  Of course, this may cause bitcoin prices to jump again.


EDIT Adding BitCoin Address:


Thanks to @The Benjamins for providing the below link to the BitCoin Blockchain address:


As of this edit, it appears to have collected about 2.14 Bitcoins worth of transactions…


EDIT 2: Thanks to @verytiny for bringing up an announcement from Posteo that they have blocked the email address that was being used and are working with local Federal Authorities.


In addition, one of the bits of information concerning how this bug is spreading listed on ArsTechnica consists of it using boobytrapped phishing emails and PSExec command line tools so that if it is able to penetrate a computer by any one vector, it can then spread throughout the network.


EDIT 3:  According to Bleeping Computers, security researchers has found a ‘vaccine’ to prevent system infection, but have not found a killswitch for the attack yet.



To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.

There is a step-by-step on the article on how to do this, however, it is important to note that this is only for the current version of the ransomware.


At the same time, it is being strongly speculated that the initial infection may have originated from a tainted software package from Ukranian based M.E.Doc compromised by an unknown attacker.



Well this is interesting.  According to an update from Ars Technica, antivirus researchers are determining that this malware attack was not a ransomware attack but a wiper attack with the ransomware note as more of a red herring to try and throw people off.  Welcome to the digital nuclear arms race where pretty soon all countries will have digital WMDs and be threatening all the other countries with digital Mutually Assured Destruction of critical systems.


 Tuesday’s massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data.

In other words, the researchers said, the payload delivered in Tuesday’s outbreak wasn’t ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday’s malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday’s attack was, in fact, a hoax intended to capitalize on media interest sparked by last month’s massive WCry outbreak.

“The ransomware was a lure for the media,” researcher Matt Suiche of Comae Technologies, wrote in a blog post published Wednesday. “This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” He went on to write: “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

Suiche provided the above side-by-side code comparison contrasting Tuesday’s payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won’t function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday’s payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible.


Leave a Reply

Your email address will not be published. Required fields are marked *