Petya Ransomware Attack Not Ransomware?

Petya Virus

What happened?

Tuesday, June 27th, A massive cyber attack began to spread across Europe, mostly effecting systems in the Ukraine.  The central bank of the Ukraine, government departments, the airport in Kiev, a state-run aircraft manufacturer, and the metro network were all paralyzed by the attack.  Even the Chernobyl nuclear plant was hit and had to be switched to manual radiation sensing systems.  Companies in the US effected included hospitals, the pharmaceutical company Merck, Nabisco and Oreo.  The largest terminal in the Port of Los Angeles had to close due to the attack.

Originally it was thought that this attack was in similar fashion to the WannaCry ransomware attack from just a few weeks ago.  Text would display on effected computers informing users that they could unlock their machines by paying $300 ransom.  The attack used the same exploit as WannaCry called EternalBlue, which was developed and used by the NSA.

However, security researchers from Kaspersky Lab are saying this attack wasn’t meant to be ransomware.  Instead it was masked to be ransomware to receive the most media attention.  While it was made to look like ransomware, the researchers say it is a “wiper”, which means it overwrites parts that a disk needs to run.  It doesn’t encrypt, but erases them completely.

Viewing the history of the Bitcoin wallet associated with the attack, a total of $10,100 worth of Bitcoins have been paid.  It is very unlikely that the victims recovered their data.  This also mean that the goal behind the attacks was no the make money, but instead cause the most amount of damage.

Who is behind the attack?

Researchers don’t know exactly who is responsible for the attack.  Given the virus was especially destructive in Ukraine, researchers have suspect this was a state-sponsored attack.  It appears the virus was specifically targeted the Ukraine’s most vital institutions.  The attackers had complete control over where they planted Petya, and they chose the central institutions in the Ukraine.  The political context automatically made Russia the most viable suspect.

What should you do?

If a computer has been infected, the virus waits about an hour before the machine reboots.  If your system reboots and a ransom note displays, don’t pay the ransom.  Reformat you hard drive and reinstall your files from a backup.  If you are still having issues call On-Site Computing at (219) 663-7483.