Throwback Attack: Petya, the red skull of ransomware

Courtesy: CFE Media
Courtesy: CFE Media

When people think of ransomware, they often picture a screen blinking with an ominous skull and crossbones image, indicating that something bad is happening. In fact, search for any ransomware attack, and there’s about a 50% chance that image will appear at the top of the article. There’s a good reason for this — it actually happened. The iconic image of the skull and crossbones was put to work when the Petya malware came onto the scene in 2016 and displayed the image as part of its ransomware message.

How Petya works

The Petya ransomware was created by a group calling itself Janus Cybercrime Solutions. It is believed by many that Petya wasn’t designed to make the attacker rich but instead to gain media attention. The ransomware was received via emails disguised as job applications and mainly targeted computers in Europe. As soon as the attractive message was opened by an unsuspecting user, the malware started spreading.

Petya moves quickly across an organization using a Microsoft Windows vulnerability, CVE-2017-0144, which affects the implementation of the server message block protocol. This attack encrypts the master boot record and other documents. Then, the user receives a message to do a system reboot, rendering the system inaccessible when completed.

Petya is different from many mainstream ransomware attacks that happen now, according to a Malwarebytes Labs report. It denies access to the full system by encrypting the master file table. If a user detects the Petya malware before rebooting, there is still a way to recover the infected files. However, once the reboot is complete, the screen starts blinking, and an image of a red skull appears.

Pressing a key activates a ransom note that includes a demand of $300 in Bitcoin and instructions on how to make the payment.

The evolution of Petya

The first variants of Petya were discovered in March 2016, when the malware transferred through infected email attachments. Petya isn’t a single example of ransomware, but a group of related malware that led to so much more. It encompasses everything that the Petya malware evolved into. In June 2017, a new variant of Petya was used for a global cyberattack, which was renamed to NotPetya. Between 2016 and 2017, both Petya and NotPetya affected thousands of people.

The newer strain, NotPetya, had updated capabilities and differences in operations such as transferring through the EternalBlue exploit, which allowed it to have a broader reach and quicker spread. The attack goals for Petya ransomware are to make some quick money, while NotPetya is widely viewed as a state-sponsored Russian cyberattack cloaked as ransomware.

The NotPetya attack primarily targeted the Ukraine; however, within hours of release, the malware had infected computers around the world. According to Olivia Solon and Alex Hern, journalists at The Guardian, it spread through firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.

Why does it matter?

The original version of Petya may not have had as big an impact as NotPetya, but it was the foundation that evolved into the massive cyberattack that circled the globe. Petya also developed into other lesser-known versions, such as the Petya and Mischa duo. The original Petya turned out to be just an introduction to what this type of malware could do.

The evolution of Petya to NotPetya took only a year, but now ransomware is evolving at a much faster pace. There are new threats coming onto the industrial landscape every day, and these have led to some of the bigger attacks such as Colonial Pipeline and SolarWinds, which hit national critical infrastructure in the U.S. earlier this year.




Keep your finger on the pulse of top industry news