|Home page World|
The malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month — but so far, at least, Petya seems to be spreading more slowly.
Axar.az reports citing NPR.
Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning Eastern time, the account had received around $10,000. But in a move that has caused some controversy, German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments. While some cybersecurity experts have praised the approach, others note that users whose files are held hostage have now lost their sole point of contact.
WannaCry was largely undone by the discovery of a "kill switch" that could shut it down. No such kill switch has been found so far with Petya, and experts are still working to find a way to stop it.
But security researcher Amit Serper of Boston's Cybereason has identified a method that essentially acts as a vaccine for computers infected by the malware. His method tricks the ransomware into thinking that it's already operating on a machine. Serper is being widely praised for the innovation — but he says the fix is "a temporary workaround."
Security experts also are divided on what to call the ransomeware. Some analysts have dubbed the malware "NotPetya," to reflect the differences from the original. Others call it "Goldeneye" — the name of another recent strain of the Petya ransomware. Polish researcher Hasherezade says that because core elements of the malware's code still resemble the original, "it is fair to call it a new step in the evolution of Petya."
WannaCry was based on exploits stolen from the National Security Agency — including a program called EternalBlue, which exploited a Microsoft vulnerability. Using some of the same exploits, Petya has the ability to worm through computer networks, gathering passwords and credentials and spreading itself.
After a self-imposed delay of at least 10 minutes, the malware uses a reboot to encrypt files. At that point, users see a fake black-and-white "CHKDSK" message on their screen that claims an error has occurred and that the system is checking the integrity of the disk. This is the last chance, security experts say, for users to power down their computers and protect their files before they're encrypted and held for ransom.
The WannaCry outbreak prompted many network administrators to update their security patches. But as the story of an IT worker in Scotland shows, Petya can still sometimes find a way into those machines, by collecting passwords and credentials from an unpatched computer and using them to log into patched machines.
"We were pretty patched up against [Microsoft's EternalBlue security patch] MS17-010, obviously mustn't have been 100 percent," Colin Scott wrote, "but even then, if one single PC gets infected and the virus has access to Domain Admin credentials then you're done already."
On his blog, Scott doesn't identify his employer, but he says: "So far we've lost many servers and clients, as you can imagine it's carnage."
2017.06.28 / 20:59