Petya ransomware cyber attack: What it is, who’s affected and what it shares with global NHS WannaCry attack

A new form of ransomware called Petya has swept the globe affecting the likes of advertising firm WPP, shipping company Maersk and even the Chernobyl nuclear plant .

It’s the second high-profile ransomware attack this year following the widely-reported WannaCry ransomware attack that crippled the NHS in May.

Like all ransomware, Petya locks away files on infected computers and demands a ransom before they are supposedly returned.

So far, Russia and Ukraine appear to be the worst affected countries although there are reports of countries in Europe and the US having their servers infected.

Petya is spreading quickly through networks, exploiting a vulnerability in Microsoft’s Windows operating system.

An example of WannaCryptor ransomware
(Photo: MalwareTips)

Those responsible are demanding a payment of $300 through the untraceable digital currency Bitcoin . As with all ransom demands, there’s no guarantee the files will be returned after payment and experts caution against transferring the funds.

Cyber security specialists are currently scrambling to ascertain the extent of the Petya infection and whether it can be stopped.

What is ransomware?

Ransomware is a particular type of computer virus or worm that spreads rapidly and autonomously through a computer network.

It’s primary goal is to lock up sensitive files behind advanced encryption and demand payment before they are returned to their owner.

Often, payment is handled anonymously through an untraceable digital currency such as Bitcoin .

How does the Petya ransomware work?

Like the WannaCry ransomware, Petya exploits a vulnerability in Microsoft Windows. According to Kaspersky security experts, this could be the same EternalBlue exploit that was discovered by the NSA and used in the WannaCry attacks.

However, they caution that Petya is a different piece of software and not simply a variation of the WannaCry code.

“This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within corporate networks,” Kaspersky said.

Petya locks files away and presents the user with an intimidating black and red screen demanding payment of $300 in Bitcoin .

Where does Petya come from?

Security researchers believe that Petya could be a variant of older "Petya.A", "Petya.D", or "PetrWrap" computer worms from 2016, with new code added in to take advantage of the EternalBlue exploit.

Because the WannaCry kill switch was triggered relatively quickly, many companies may not have updated or patched their software and could still be at risk.

Early reports suggest it originated from a software update built into an accounting program used by companies working with the Ukranian government. That appears to be why so many Ukranian systems were infected so quickly before it spread to Russia.

Who has been infected? Is the NHS safe?

British advertising agency WPP said a number of its computers had been affected, and its website appeared to be down as it made the announcement.

US pharmaceutical company Merck, law firm DLA Piper, Netherlands-based shipping company TNT and Spanish food giant Mondelez – whose brands include Oreo and Toblerone – have also been compromised as part of the global hack.

(Photo: Getty/Rex)

Russian energy company Rosneft also reported falling victim to the hacking attack, as did shipping company AP Moller-Maersk, which said every branch of its business was affected.

So far, the NHS has not reported any intrusion into its systems. Following the WannaCry attack, Microsoft took the unusual step of issuing a security patch for the discontinued XP operating system against the spread of WannaCry.

"The company’s telemetrics data indicates around 2,000 attacked users so far," said Vyacheslav Zakorzhevsky, head of anti-malware team at Kaspersky Lab.

"Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, Germany and several other countries."

Who is behind it?

There is very little information about who might be behind the current disruption from Petya.

Ukraine’s prime minister Volodymyr Groysman said the cyber attack is "unprecedented" but "vital systems haven’t been affected".

(Photo: Vectra Networks)

He also said on Facebook that "our IT experts are doing their job and protecting critical infrastructure… The attack will be repelled and the perpetrators will be tracked down."

How can it be stopped?

If a computer has already been compromised, then there is currently no way of retrieving the locked files.

Posteo, an email service provider that appears to have been used by the hackers has responded to say that it has shut down the address.

“We became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away,” the company said.

That means that even if those affected wanted to pay the ransom, it would not be acknowledged because the email has been disconnected.

Security professionals have constantly warned against paying ransoms to cybcriminals.

Instead, firms should invest in robust security measures and make sure they keep regular backups.

One way to limit the damage of the Petya ransomware is to reboot the computer to an earlier backup. Preferably, this backup should be encrypted or at least stored offline.

“The Petya ransomware is essentially a more savvy, more developed and a better version of WannaCry; in that it’s based on the same type of exploit," said Gretchen Ruck, director at business management consultancy AlixPartners.

"Over the next six months, we have to expect these attacks will continue to develop in number and sophistication and companies need to prioritise investments in secure systems and collaboration with executives to stay one step ahead.”