WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

M

manhtom

Level 1
Thread author
Verified
Feb 14, 2016
16
There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others.

At the time of writing, the ransomware outbreak is smaller than WannaCry, but the volume is "considerable," according to Costin Raiu, Kaspersky Labs researcher, and MalwareHunter, an independent security researcher.

The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Because of this, Petya is more dangerous and intrusive compared to other strains because it reboots systems and prevents them from working altogether.
 
  • Like
Reactions: Daniel Hidalgo, XhenEd, aragornnnn and 15 others
BoraMurdar

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Prepare for impact!
Kidding, just backup important data
b5a8c473-8acf-4050-b9d5-b4649e773f40.jpg
 
  • Like
Reactions: simmerskool, Daniel Hidalgo, XhenEd and 17 others
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Secure Folders is a good option for protecting files and folders. Have it on a PC, and I use it to restrict write privileges to the backup program on the PC to backup drives connected to the PC. Still experimenting. For now that's my fallback for that PC, but if anyone knows a way to use SF to protect the mbr, that would be very nice :D
 
  • Like
Reactions: manhtom, aragornnnn, Korea and 10 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
The use of Petya is quite atypical for a cyber-criminal action on this scale.
It may be used as destructive tool for its feature to encrypt the hard disk of the computer, which then becomes unusable and so causing disorder action, but it is a ransomware and not, strictly speaking, a cyber-weapon.
It is perfect to cover an attack with geopolitics purpose...for example.
 
  • Like
Reactions: simmerskool, manhtom, aragornnnn and 9 others
Weebarra

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
I have just seen this on the news and whilst i should be shocked that it has happened so soon after the last large scale ransom attack but i'm not for some reason.
Thankfully (due to members on here) i do back up frequently and am trialing Kaspersky a the moment so i'm hoping that (along with some common sense) keeps me safe as i am on Windows 7 which was hit the largest the last time.

o_19c6jglgs14o9q7018ef1p4sriaa_1024_io.jpg
 
  • Like
Reactions: manhtom, aragornnnn, Der.Reisende and 7 others
Daljeet

Daljeet

Level 6
Verified
Well-known
Jun 14, 2017
264
A major cyber-attack has struck large companies across Europe, with Ukraine’s government, banks, state electricity grid, telephone companies and even metro particularly badly affected.



The attack has caused serious disruption at companies including advertising multinational WPP, France’s Saint-Gobain, Russian steel, mining and oil firms Evraz and Rosneft, and the Danish shipping giant AP Moller-Maersk.

  • The ransomware might display the following message on an infected PC:

    Repairing file system on C:

    The type of the file system is NTFS.
    One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

    WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

    CHKDSK is repairing sector xxxxx of xxxxxxxx (x%)

  • After encryption, impacted systems might prompt the user to reboot. After reboot, a ransom screen similar to the following is displayed:
  • petya.png
Extensions currently known as being affected are: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip



We have confirmed with the samples that SMB is being used as a propogation method, and are aware of reports that RDP may also be used but have yet to confirm this.



After encryption, impacted systems may show a ransom screen and suggest a system reboot after which the system will not be accessible.
 
Last edited:
  • Like
Reactions: Parsh, simmerskool, manhtom and 6 others
Daljeet

Daljeet

Level 6
Verified
Well-known
Jun 14, 2017
264
NotPetya has some extra powers that security experts say make it deadlier than WannaCry.This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched," said ESET researcher Robert Lipovsky. "It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.
 
  • Like
Reactions: manhtom and AtlBo
brambedkar59

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,878
daljeet said:
The ransomware might display the following message on an infected PC:

Repairing file system on C:

  • The type of the file system is NTFS.
    One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

    WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

    CHKDSK is repairing sector xxxxx of xxxxxxxx (x%)

  • After encryption, impacted systems might prompt the user to reboot. After reboot, a ransom screen similar to the following is displayed:
  • petya.png
Click to expand...
Sneaky-breeky. Malware authors are getting pretty good at disguising the malware as windows apps/tools.

daljeet said:
Extensions currently known as being affected are: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip.
Click to expand...
So essentially an advanced user can save all his files from being encrypted by the ransomware by just changing the extension. Although not practical at all :p
 
Last edited:
  • Like
Reactions: AtlBo
ispx

ispx

Level 13
Verified
Well-known
Jun 21, 2017
616
in the articles that i have read & in the news on tv about this attack i did not really see any mention of a specific os being targeted.

unless i missed it while reading / watching so please enlighten me.

if i am not wrong wannacry jacked up xp & 7 mostly, is it the same this time? or is this new attack crippling 10 too?
 
  • Like
Reactions: brambedkar59 and AtlBo
In2an3_PpG

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
ispx said:
in the articles that i have read & in the news on tv about this attack i did not really see any mention of a specific os being targeted.

unless i missed it while reading / watching so please enlighten me.

if i am not wrong wannacry jacked up xp & 7 mostly, is it the same this time? or is this new attack crippling 10 too?
Click to expand...

Well if its similiar to WannaCry in that its using Eternalblue and DoublePulsar to exploit SMB then any device that has an vulnerable public facing SMB port open could be toast. As far as i know.
 
  • Like
Reactions: Drexciya, brambedkar59, AtlBo and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Malware News The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack
Replies
0
Views
1,211
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Ten notorious ransomware strains put to the encryption speed test
Replies
0
Views
979
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • Like
    • Wow
Sinclair TV stations disrupted across the US in apparent ransomware attack
Replies
2
Views
752
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top