After the global Wannacry attack and Microsoft’s emergency patch to close the loopholes that made it possible, you might have been lulled into thinking that a similar attack was no longer possible.
Sadly, you would be incorrect in thinking this. As you read these words, a similar, and in some ways worse, form of ransomware called Petya (also known as Petwrap) is currently infecting computers at a blistering pace.
For the moment, the infection is centered primarily in Russia, the Ukraine, Spain, France, the UK and India, but it’s on the verge of being another worldwide assault.
It relies on the same vulnerability that made Wannacry so successful: the SMBv1 vulnerability. This is proof that there are plenty of people around the world who simply don’t grab and install security patches when and as they are released.
Petya adds a new wrinkle as well. It also utilizes an NSA exploit called EternalBlue, which was released as part of a data dump by an infamous group of hackers called the Shadow Brokers. The inclusion of this additional exploit explains why even systems that have been patched have been reported as being infected.
Another key difference is that Wannacry works by encrypting files one by one. Petya reboots the victim’s computer and encrypts the hard drive’s master file table (MFT), making it impossible to get into the infected PC at all.
However, this is in some ways a mixed blessing because if you get infected and see your computer reboot, you can stop the encryption process simply by unplugging the PC and not powering it back on. Then, you can use another PC to recover your files.
One thing you don’t want to do in this instance, no matter how tempting it might be, is to pay the ransom.
This is because the email address the hackers were using to communicate has been suspended by the German provider, Posteo.
There’s no indication how far the Petya ransomware will spread, and there aren’t any good options for file recovery. As ever, vigilance is your best defense.