in

What is the Petya ransomware attack, and how can it be stopped?

Companies ought to have crippled by an attack dubbed Petya, the second major ransomware misdemeanour in two months. Olivia Solon answers the key questions

Many organizations in Europe and the US have been crippled by a ransomware attack dubbed Petya. The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, to move to PCs and data being lock the door and held for ransom.

Its the second major world ransomware attack in the last two months. In early May, Britains National Health Service( NHS) was among the organizations infected by WannaCry, which utilized a vulnerability first revealed to the public as part of a leaked hoard of NS-Arelated documents released online in April by a hacker group calling itself the Shadow Brokers.

The WannaCry or WannaCrypt ransomware attack affected more than 230,000 computers in over 150 countries, with the UKs national health service, Spanish phone company Telefnica and German government railways among those hardest hit.

Like WannaCry, Petya spreads rapidly through networks that use Microsoft Windows, but what is it, why is it happening and how can it be stopped?

What is ransomware?

Ransomware is a type of malware that blocks access to personal computers or its data and demands money to liberate it.

How does it run?

When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims dont have a recent back-up of the files they must either paying off ransom or face losing all of their files.

How does the Petya ransomware work?

The Petya ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once personal computers is infected using the EternalBlue vulnerability in Microsoft Windows( Microsoft has released a spot, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one alternative and if it doesnt run, it tries the next one. It has a better mechanism for spreading itself than WannaCry, said Ryan Kalember from cybersecurity corporation Proofpoint.

Where did it start?

The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian Cyber Police. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities and Kievs airport and metro system. The radioactivity monitoring system at Chernobyl was also taken offline, forcing employees to use hand-held counters to measurement degrees at the former nuclear plants exclusion zone.

How far has it spread?

The Petya ransomware has caused serious disruption at large firms in Europe and the US, including the advertising firm WPP, French building materials corporation Saint-Gobain and Russian steel and petroleum firms Evraz and Rosneft. The meat company Mondelez, legal firm DLA Piper, Danish shipping and transport firm AP Moller-Maersk and Heritage Valley Health System, which operates hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.

Shipping
Shipping company Maersks IT system was impacted by the cyber-attack. Photo: Mauritz Antin/ EPA

So is this just another opportunistic cybercrimnal?

It initially looked like Petya was just another cybercriminal taking advantage of cyberweapons leaked online. However, security experts say that the pay mechanism of the attack seems too amateurish to have been carried out by serious felons. Firstly, the ransom note includes the same Bitcoin payment address for every victim most ransomware creates a custom address for every victim. Secondly, Petya asks victims to communicate with the attackers via a single email address which has been suspended by the email provider after they discovered what it was being used for. This means that even if someone pays the ransom, they have no way to communicate with the attacker to request the decryption key to unlock their files.

OK, so then who is behind the attack?

Its not clear, but it seems likely it is someone who wants the malware to masquerade as ransomware, while actually only being destructive, particularly to the Ukrainian government. Security researcher Nicholas Weaver told cybersecurity blog Krebs on Security that Petya was a deliberate, malicious, destructive onslaught or perhaps a test disguised as ransomware.

Ukraine has blamed Russia for previous cyber-attacks, including one on its power grid at the end of 2015 that left part of western Ukraine temporarily without electricity. Russia has denied carrying out cyber-attacks on Ukraine.

What should you do if you are affected by the ransomware?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you are able to switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, as flagged by @HackerFantastic on Twitter.

Hacker Fantastic (@ hackerfantastic)

If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are penalty. pic.twitter.com/ IqwzWdlrX6

June 27, 2017

If the system reboots with the ransom note, dont pay the ransom the customer service email address has been shut down so theres no way to get the decryption key to unlock your files anyway. Unplug your PC from the internet, reformat the hard drive and reinstall your files from a backup. Back up your files regularly and keep your anti-virus software up to date.

Read more: https :// www.theguardian.com/ engineering/ 2017/ jun/ 27/ petya-ransomware-cyber-attack-who-what-why-how

A VidCon veteran reveals this year’s big takeaways

‘The most CNN’ thing EVER: Bet you can’t guess what excuse CNN just gave for bad coffee