Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    New Petya Ransomware Attack Moving Laterally to Exploit Users

    Written by

    Sean Michael Kerner
    Published June 28, 2017
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      The impact of the global ransomware cyberattack, identified by some security vendors as Petya and others as NotPetya or GoldenEye, is still being calculated, a day after the attack began. The Petya ransomware attack makes use of the EternalBlue exploit that Microsoft patched in March to initially gain access to a system and then is able to move laterally across a network in several different ways. 

      According to Microsoft’s analysis, the new Petya ransomware shares code similarities with the Mimikatz code stealing tool and uses that capability to gain Windows administrator privileges on a network. The new Petya ransomware attack also makes use of PSEXEC remote command tool in Windows as well WMIC (Windows Management Instrumentation Command-line) to deploy malware that encrypts user data on an infected network.

      An analysis of the impact of the new Petya ransomware by the Symantec Threat Intelligence Team, requested by eWEEK, found that despite the media hype the overall number of infections it has detected are low and primarily in Ukraine, or in organizations that have offices or subsidiaries in Ukraine.

      As of 8 AM ET on June 28, Symantec’s researchers said that according to its intelligence, less than 150 organizations have been affected in Ukraine and under 50 in the US. Though the new Petya ransomware uses the same EternalBlue exploit used by the WannaCry ransomware worm that hit global organizations in May, it doesn’t use the same technique for movement. Symantec’s researchers explained that the new Petya ransomware seems to mainly search for local IP addresses and not across the Internet like WannaCry.

      “It is safe to say that the spreading method chosen and also the fact that most computers have the SMB patch installed limited the spreading,” Symantec’s researchers said.

      Juniper Networks also isn’t seeing all that much impact from the new Petya ransomware either. Lee Fisher, security specialist at Juniper Networks told eWEEK that so far his firm has seen very few infections in its customer base.

      “Given the niches that we typically play in, being large Fortune 500 with rigid and robust patch management policies and processes, this isn’t overly surprising,” Fisher said. “Some of the SMB and endpoint vendors may see more, given the attack vector.” 

      Fisher added that in his view, some of the media hype around the new Petya ransomware outbreak yesterday was somewhat overdone. He noted that not only is it targeting a vulnerability that WannaCry forced organizations to fix, the other attack vectors are not as efficient, requiring either user interaction, or poor security administration.

      “Looking at the malware behavior of Petya, once the infected computer powers off, it is no longer able to spread, that is it doesn’t boot, compared to how WannaCry continued to try to infect other network assets,” Fischer said. “Petya doesn’t do this, so the infection speed was always going to be slower.”

      Petya or NotPetya?

      Early reports called the ransomware Petya, though some security vendors and in particular Kaspersky Lab, have argued that the ransomware is different, dubbing the malware, NotPetya. Trying to give the new malware a proper name is not an easy process.

      “It’s not like malware has genetic sequencing and there’s no governing body for naming standards. So we name it as we see fit, and everybody else does the same,” ESET Security Researcher Bruce Burrell, told eWEEK.

      According to Uri Sternfeld, Lead Researcher at Cybereason, the original Petya ransomware, operates differently than the one that impacted organizations on June 27. The original Petya ransomware triggered a blue-screen immediately after infection instead of creating a scheduled task two hours later, which is what is happening with the new malware.

      “The current attack is the only ransomware we know of other than Petya that overwrites the MBR (master boot record) and does encryption during boot, so they are at the very least related,” Sternfeld said.

      Remediation

      There are several ways that organization can help to limit the risk of infection from the new Petya ransomware variant. The first is to install all Microsoft patches, especially MS17-010 and disable SMBv1 services. 

      Microsoft also recommends that organizations consider blocking incoming SMB traffic on port 445. For its enterprise customers, Microsoft suggests that organizations use Device Guard to provide kernel-level virtualization-based security that will limit the risk of un-authorized processes from running.

      At an even simpler level, Cybereason’s researchers discovered a simple one line fix that can mitigate the impact of the new Petya ransomware attack.

      “To activate the vaccination mechanisms users must locate the C:Windows folder and create a file named perfc, with no extension name,” the Cybereason Intelligence Team stated in a blog post. “This should kill the application before it begins encrypting files.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×