Petya ransomware: everything we know about the massive cyber attack

The group responsible for last week’s globe-spanning ransomware attack has made their first public statement. Motherboard first spotted the post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates.

Crucially, the message includes a file signed with Petya’s private key, which is strong evidence that the message came from the group responsible for Petya. More specifically, it proves that whoever left the message has the necessary private key to decrypt individual files infected by the virus. Because the virus deleted certain boot-level files, it’s impossible to entirely recover infected systems, but individual files can still be recovered. The message also included a link to a chat room where the malware authors discussed the offer, although the room has since been deactivated.

Last week’s globe-spanning ransomware outbreak may have started with a remarkably simple attack. This morning, independent security analyst Jonathan Nichols discovered an alarming vulnerability in the update servers for Ukrainian software company MeDoc, one of the companies at the center of the attack.

Researchers believe that many of the initial Petya infections were the result of a poisoned update from MeDoc, which sent out malware disguised as a software update. But according to Nichols’ research, sending out that poisoned update may have been a relatively simple task, thanks to underlying weaknesses in the company’s security.

In the wake of last week’s massive Petya ransomware attack in Eastern Europe, researchers are reaching consensus that the incident was a politically-motivated cyberattack. According to CNBC, the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) recently put out a statement claiming that the attack was like done by a state actor or a group with state approval. The development means that the cyberattack could be viewed as an act of war, triggering Article 5 of the Washington Treaty and compelling NATO allies to respond.

”As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty,” wrote Tomáš Minárik, a researcher at the CCD COE law branch, in the release. “Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.”

The global Petya virus has “significantly affected” the worldwide operations of TNT Express, a subsidiary of FedEx that’s based in the Netherlands. Both the domestic and international shipping services remain operational, but they are experiencing delays, the companies say. FedEx halted trading of its shares shortly after the announcement, but all other FedEx-owned companies are so far unaffected.

“We cannot measure the financial impact of this service disruption at this time, but it could be material,” FedEx writes in a statement about the service disruption. The company adds that “remediation steps and contingency plans are being implemented as quickly as possible,” including using FedEx’s own Express service to help with the backlog. TNT Express was acquired by FedEx in 2016. It ships 1 million packages a day to 200 countries.

The virus that began spreading through European computers yesterday informed users that they could unlock their machines by paying a $300 ransom. But it looks like the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.

Matt Suiche, founder of the cybersecurity firm Comae, writes in a blog post today that after analyzing the virus, known as Petya, his team determined that it was a “wiper,” not ransomware. “We can see the current version of Petya clearly got rewritten to be a wiper and not a actual ransomware,” Suiche writes.

When the Wannacry ransomware tore through the UK and Europe in May, there was a certain logic to the heightened scale of damage. Ransomware attacks were nothing new, but this one had a secret weapon, a sophisticated software exploit known as EternalBlue, published by the Shadow Brokers in April and believed to have been developed by the NSA. It was nation-state level weaponry turned against soft, civilian targets, like robbing a small-town bank with an Abrams tank. If you were looking for answers on how it spread so far so fast, you didn’t have to look far.

Now, just over a month later, a new strain of ransomware has inflicted similar damage with almost none of that firepower. A variant of the Petya family of ransomware, the virus has infected thousands of systems across the world, including massive multi-national corporations like Maersk, Rosneft and Merck, but it’s done so with far less raw material. Petya is still using EternalBlue, but by now many of the target organizations are protected, and that exploit is far less crucial to the ransomware’s spread. Instead, Petya exploits more fundamental vulnerabilities in the way we run networks and, more crucially, deliver patches. They’re not as eye-catching as an NSA exploit, but they’re more powerful, and could leave organizations in a much more difficult position as they try to recover from today’s attacks.

After thousands of infections, the new Petya ransomware has run into its first major problem, as a German email provider has blocked the email account the virus was using to manage ransom demands. Victims should be advised not to pay into the wallet, since it’s unlikely the attackers can successfully decrypt systems at this point.

The problem is caused in part by Petya’s unorthodox method for collecting ransom payments. Most ransomware programs create a unique wallet for each infection, making it easy to know which victim is responsible for each payment. But Petya broke with that practice, asking every victim to send their $300 payment to the same single Bitcoin wallet, then send an email to [email protected] with a unique identifier to confirm payment and receive the decryption keys.