A new strain of ransomware – called Petya, and which emerged in Ukraine and Russia yesterday – has spread to the US and South Africa.
The Ukrainian Cyber Police said on Twitter that the original infection was made through an automatic software update feature built into M.E.Doc, accounting software used by companies which work with the Ukrainian government.
The NSA said it is moderately confident that WannaCry was the work of North Korean hackers.
EternalBlue exploits a vulnerability in all versions of Windows which Microsoft patched in March. Due to how serious the attack was, Microsoft also released a patch for versions of Windows that it no longer supports – except through custom support agreements.
Petya ransomware a smokescreen
Krebs on Security reports that the ransomware included in Petya may be a smokescreen.
Quoting Nicholas Weaver, a security researcher at the International Computer Science Institute, the report stated that Petya appears to be engineered to be destructive, and masquerades as a ransomware strain.
Like WannaCry, Petya’s ransom note shows the same Bitcoin address for every victim. Most ransomware creates a custom address for each infected user, to ensure payment tracking is possible.
Petya also asks victims to contact the extortionists holding their files to ransom by email. Weaver noted that most ransomware asks victims to communicate with them via Tor.
Weaver said, with moderate confidence, that this was a deliberate, malicious, destructive attack, or perhaps a test disguised as ransomware.
Group-IB, a Russian security firm, reported that Petya includes a tool called LSADump, which can harvest passwords and other data from Windows computers and domain controllers on the network.
Petya in South Africa
Reports on Radio 702 suggest that companies in South Africa have been infected by Petya. When powering up their computers, users were shown the screen below.
It has been reported that Petya is also referred to as NotPetya.