Petya GDATA Ransomware

The world is once again amid a massive ransomware attack and companies are being held hostage. Dubbed Petya, the malware has already brought down airports, banks, and other institutions across Europe. It is believed this ransomware attack could be bigger than the recent WannaCry Ransomware attack.

Petya seems to have started in Russia and Ukraine as a coordinated attack. However, it is still unclear where the attack has originated from and who is responsible.

Equally, the extent of the damage or breadth of infection is still not known.

While Russia and Ukraine are deeply affected, the new ransomware has also spread to Denmark, Spain, the United States, and other countries.

Among the companies already reporting major problems are A.P. Moller-Maersk, a Copenhagen-based company and among the world’s largest shipping firms. Rosneft, Russia’s leading oil company, has also been crippled by the attack.

According to Ukrainian Deputy Prime Minister Pavlo Rozenko, the government´s computer network had gone down and the the Ukrainian central bank said a number of banks and companies, including the state power distributor, were also hit by Petya Ransomware.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement.

Ukraine´s country’s Boryspyl Airport has also been hit severely. Boryspil international airport’s acting general director Yevhen Dykhne says the airport is trying to get back to working order but there has been “[i]n connection with the irregular situation, some flight delays are possible.” “We kindly urge you to be understanding, keep calm,” he added. “Current information about the departure times can be found on the scoreboard in terminal.”

Petya Ransomware Boryspil international airport

Pictures published by Reuters show that the Petya Ransomware is also affecting ATM terminals.

Petya Ransomware – Technical Attack Details

Twitter users are pointing out that the ransom fee of $300 in bitcoin to release their systems from Petya. However, this fee is just for individuals are under attack.

They receive a short message to send funds to a Bitcoin wallet ID to get an installation key. The ransom for companies is likely to be much higher.

Mikko Hypponen, a researcher for F-Secure, said Petya is attacking the following file formats: *.pdf, *.pptx, *.ppt, *.ova, *.php and many more. “Nothing is stopping Petya now. This could hit the U.S.A. pretty bad,” he said.

The Petya Ransomware does not encrypt files on a targeted system one by one, but replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

According to Hypponen, “Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.” As a recent Scan from VirusTotal shows, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware.

Worse than WannaCry

Recently, the WannaCry ransomware cost companies hundreds of millions of dollars. It spread from a former NSA backdoor for Microsoft Windows. The company was criticized from various sides how it handled the outbreak. Microsoft held back a free repair update on Windows XP machines, instead reserving it for customers with custom support contracts. But the President of the Redmond giant, Brad Smith, has laid the responsibility for the massive hack at the feet of the U.S. government,  saying they put the digital world in danger through their practice of “stockpiling vulnerabilities.

Early reports suggest the zero day Petya could be even bigger than Wannacry. We will keep you updated.