The malware attack that began spreading yesterday from Ukraine and Russia and has crippled the networks of some international businesses displays some significant differences from last month’s global outbreak of the WannaCry ransomware.
Like WannaCry, the origins of “Petya” — also called NotPetya, Nyetya, and PetrWrap — lie in a Microsoft vulnerability that was exploited for years by the National Security Agency before being stolen and then revealed by the Shadow Brokers hacking group in April. However, Petya does not appear to have the kind of built-in kill switch that helped put a stop to the spread of WannaCry, and propagates through networks differently than WannaCry.
Security researchers following Petya said that the malware, while damaging, isn’t effective ransomware. Unlike WannaCry, Petya doesn’t create custom Bitcoin payment addresses for individual victims, and it also tells victims to communicate with the perpetrators via email, which is traceable, rather than through the anonymous Tor network.
What’s more, the email address used by the Petya hackers was blocked yesterday by the Berlin-based email provider Posteo, preventing the hackers from sending messages via that account and also disabling incoming messages.
Apparently Designed for Mayhem
Since appearing in Ukraine yesterday, Petya has infected tens of thousands of machines across at least 65 countries, according to a post on Microsoft’s TechNet Malware Protection Center blog. Numerous organizations in Ukraine, including the main airport, government agencies, and the national bank, were affected. Also affected were the Danish shipping giant Maersk, the Russian energy firm Rosneft, and the international marketing firm WPP.
With no effective means of communicating with the hackers to verify ransom payments, victims had no obvious path to recovery that could unlock files encrypted by the malware.
University of California-Berkeley computer researcher Nicholas Weaver told IT security writer Brian Krebs yesterday that Petya appeared to be aimed…