Pnyetya: smarter than WannaCry?

Petya ransomware By Joshua Goddard, Cyber-crime Investigator | 28 June 2017

The latest "cyber pandemic" hitting organisations across Europe (most notably Ukraine) is Pnyetya. Kaspersky reports that 2,000 organisations have fallen victim to this attack. It is currently unclear whether the malware is based on previously-known ransomware called "Petya" or whether it is something new entirely (which is why some are calling it "NotPetya"). Pnyetya was reportedly spread initially via a "fake" update to the accountancy software "MeDoc" used by many organisations in Ukraine.

How is it different to WannaCry?

Research so far says that Pnyetya is wildly different to WannaCry and is based on an entirely different piece of malware. People worldwide are comparing the effects to WannaCry, but those in-the-know suggest this is an entirely different beast.

It encrypts files and file systems

WannaCry only encrypted files (documents, databases, etc), whereas Pnyetya encrypts files and file systems themselves, as well as overwriting the 'Master Boot Record' (MBR), which controls how a volume starts up. This is much harder to manage and means users can't boot into Windows at all. For file types which are excluded from encryption, they may be recoverable using data carving techniques.

It moves in a clever way

WannaCry used a weakness in Microsoft's file sharing protocol (a way that computers talk to each other) and went out on the internet to find more machines to infect. Pnyetya appears to only move around internal networks and gathers passwords from any machine it lands on, to use on other computers across a network, and using a variety of known "hacking" tools. This advanced propagation technique is called "lateral movement" and it makes it notoriously difficult to track and stop.

It takes one machine to compromise everything

Forbes reported ESET researcher Robert Lipovsky saying "It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers." WannaCry didn't require administrator rights to encrypt files, and once the file sharing protocol was disabled, systems were generally secure. A computer network is only as strong as its weakest link - if one machine is compromised with Pnyetya and administrator credentials are gained, it can continue to spread because it has genuine authentication by way of a username and password. At that point, you've been had.

It's professional

Security researchers around the globe are saying that this malware is a lot more advanced technically than WannaCry - a "kill-switch" hasn't been found like with WannaCry, although the email address used for sending decryption keys has been shut-down.

This advanced technical behaviour is a contrast to the money-gathering method, which has led some to believe that this attack is just a cover to a wider attack on Ukraine, potentially state-sponsored, with the intention to cause damage and embarrassment rather than financial gain.

What should I do if I'm infected?

Firstly, you should not pay the ransom demand. The provider of the email address which provides decryption keys has shut down the account. This is an interesting moment for cyber insurance companies, whose policies are generally to pay the ransom demands to get data back. If you're infected, you should follow any incident response plan and restore from backups.

How can I prevent becoming infected?

Researchers have found a way to stop a machine being encrypted by simply creating a file. It's likely that the malware creates a file of the same name, and if you create it first (and make it read-only), the malware can't proceed. This technique does not prevent a machine being infected though, and even with this file, any machine can still act as a carrier for further infection. Do not rely on this method of prevention long-term - any update of the malware could avoid this quick-fix.

Updating Windows is the best way to avoid falling victim to this attack  - although some researchers initially reported that even the latest version of Windows 10 was susceptible to infection.

Getting technical 

This update is intended to be a friendly overview of exactly what's been happening with Pnyetya and why it's improper to say it is the "same" as WannaCry. I have been purposely short on technical analysis because research is still on-going, and there is a wealth of good information already online.

#   #   #

Learn about planning effective Cyber Security Incident Response using the CREST Mode.

Need expert help now? Talk to our CSIR advisers in confidence on +44 (0)870 600 1667.


« Back