What we know about the ‘kill switch’ in ‘Petya’ ransomware attack

Posted on: June 28th, 2017 by ABC News No Comments

iStock/Thinkstock(MOSCOW) — Cybersecurity researchers have been racing to analyze the new ransomware that struck Tuesday, first hitting Ukraine in an avalanche of attacks before spreading to companies around the world.

The malicious software has been identified as a modified version of a previously known ransomware called Petya or Petrwrap, but has been substantially altered, prompting a debate among researchers over whether it represents new malware.

Here’s what we know:

How the malware works

The malware works by encrypting a computer’s hard disk, locking users out and then posting a ransom demand telling them to pay $300 to a bitcoin account to unblock it.

At face value, it seems to resemble WannaCry — the ransomware that locked out hundreds of thousands of computers in May — but researchers have already noted some crucial differences.

A key difference so far has been that unlike WannaCry, researchers have not been able to find a so-called “kill switch” that shuts down this malicious code globally. But researchers believe they have found a temporary means of disabling the malware on individual computers.

One U.S. cybersecurity researcher, Amit Serper of Boston-based Cybereason, identified the fix on Tuesday night, and other researchers have since termed it a potential “vaccine” or “localized kill switch” for the malware. By changing a single file name, Serper found that users can trick the malware into shutting down on their individual computers.

Serper’s method has been confirmed by several other firms, but he has warned that it is only a temporary fix because large-scale attacks normally occur in several waves. Hackers may easily change the file names again, making the “vaccine” ineffective against the malware, which is technically a “worm” and not a virus because it is self-propagating.

Understanding the nature of the malware

Analysts are also still debating the nature of the malware. Petya was already known to researchers from 2016. But some believe the malware that struck Tuesday has been modified to the extent that it represents new malware, prompting some to give it the nickname “NotPetya.”

Russian cybersecurity firm Kaspersky Lab said it believed the software was a “new ransomware not seen before.” In light of the debate, cybersecurity news portal BleepingComputers termed it “SortaPetya.”

Where most researchers agree upon, however, is that the malware uses a tool developed by the U.S. National Security Agency (NSA) and later stolen by hackers.

Kaspersky Lab and other firms said the ransomware infects computers through an exploit termed EternalBlue, which takes advantage of a vulnerability in Windows operating systems. That same tool was used by WannaCry and was among a vast trove of cyberweapons stolen from the NSA last year by a group of hackers called the Shadow Brokers, which published the weapon online in April.

The use of the tool in a second major cyberattack in two months has prompted criticism directed at the NSA for losing control of the weapon.

After WannaCry, Microsoft issued patches for its Windows versions dating back to Windows XP that blocked the vulnerability; computers that have been updated with that patch were protected from the new attack. In a blog post, Kaspersky Lab explained how, after the malware has infected a machine, it immediately begins sending commands trying to infect other computers linked to it.

WannaCry was stopped after a young cybersecurity researcher in Britain inadvertently stumbled across a kill switch embedded in the malware. It was considered at the time an unlikely stroke of luck, abruptly curtailing the malware as it was racing into new networks.

The ransom message was linked to an email account where a message confirming the ransom payment is meant to be sent. But the German email provider, Posteo, quickly closed the account, in theory making the payments impossible. So far, the hackers have only received a few thousand dollars in ransoms, according to Wired.

Debating the hackers’ intentions

Ukraine’s cyberpolice agreed that an update to the software known as ME-Doc had played a key role in unleashing the attack, noting in a statement that the update, far larger than those usually sent, went out around 10:30 a.m. local time to companies, with the malware then multiplying from there.

The police said they believed ME-Doc had been used unwittingly by hackers.

Some people have described the attack as primarily targeting Ukraine, with the international companies affected only as collateral damage of that attack, while some researchers have begun to suggest that attack could have been intended to cause damage rather than collect ransoms.

Senior researcher Nicholas Weaver of the International Computer Science Institute told the cybersecurity blog Krebs on Security that he believed it was possible it had really been an attack only “disguised as ransomware.”

“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” he added.

Analysts were split on that theory, however.

How to fight the malware

Meanwhile, no similar kill switch has been found for Petya-NotPetya so far. Serper’s fix can rescue some individual machines.

To do the fix, users should create a new file called Perfc in the C:\Windows directory but without the file extension DLL that the malware contains. When the malware encounters the file, it is tricked into quitting, stopping the encryption.

Serper, the U.S. cybersecurity researcher, had been surprised that the fix worked. He was on vacation in Israel when the attack began, he told ABC News on Tuesday.

“I had three hours earlier where I had nothing to do, and I started reverse-engineering that malware,” Serper said.

Serper had been modifying the malware in his parents’ living room as they sat and watched TV, he added. He later talked another researcher through the process while at a bar with friends.

A hero among cybersecurity workers

He has since become a minor hero among cybersecurity workers after posting his method on Twitter. “I even got 35 job offers,” he said.

But he warned the fix is only partial and could quickly be circumvented. “This only stops this current outbreak,” Serper said. “If there will be another outbreak like WannaCry, where they had several waves of these attacks, they will probably change the name of the DLL or they might as well change how the function works.”

Who’s been affected

The attack spread rapidly Tuesday, taking in some of the world’s largest companies, including Danish shipping giant Maersk; the French multinational construction materials firm, Saint-Gobain; and U.S. pharmaceutical firm Merck & Co.

There are also questions around why the attack hit Ukraine and Russia so disproportionately. Kaspersky Lab found that about 60 percent of infections had occurred in Ukraine. There, ATMs were locked out, people found cash desks at some supermarkets, and post offices were also blocked.

Ukraine’s Cabinet of Ministers, the government administration, said its office computers had been hit. A number of large banks; the state railway system; Kiev’s chief airport, Borispol; an energy company; and several telecom providers reported themselves struck.

Even radiation monitoring at the destroyed Chernobyl nuclear power station was affected, with technicians forced to carry it out manually after their Windows computers were locked out, Ukraine’s government said.

Russian companies were also hit by the malware. The state-owned giant Rosneft tweeted it had suffered a major cyberattack around the time the ransomware outbreak was reported. The Russian business newspaper, Vedomosti, posted photographs of the ransom screens sent by workers at another oil company Bashneft, which Rosneft owns.

Group-IB, a Moscow-based cybersecurity firm, reported at least 80 companies had been hit in Russia and Ukraine. Russian steelmaker Evraz also said its systems were affected, according to the Russian state news agency, RIA Novosti. The Russian branch of a pet food producer owned by the U.S.-based Mars candymaker also reported an attack.

Ukrainian officials were quick to blame the attack on Russia, whose hackers have previously been linked to serious cyberassaults on critical infrastructure in the country. However, those had not involved ransomware. It is unclear who was behind Tuesday’s attack.

Copyright © 2017, ABC Radio. All rights reserved.

Leave a Reply

You must be logged in to post a comment.

Carlson\'s Drive In Michigan City
Carlson\'s Drive In Michigan City