Petya (malware family)

Petya was discovered in March 2016; Another variant of Petya discovered in May 2016 contained a secondary payload used if the malware cannot achieve administrator-level access. The name "Petya" is a reference to the 1995 James Bond film GoldenEye, wherein Petya is one of the two Soviet weapon satellites which carry a "Goldeneye"—an atomic bomb detonated in low Earth orbit to produce an electromagnetic pulse. A Twitter account that Heise suggested may have belonged to the author of the malware, named "Janus Cybercrime Solutions" after Alec Trevelyan's crime group in GoldenEye, had an avatar with an image of GoldenEye character Boris Grishenko, a Russian hacker and antagonist in the film played by Scottish actor Alan Cumming. On 30 August 2018, a regional court in Nikopol in the Dnipropetrovsk Oblast of Ukraine convicted an unnamed Ukrainian citizen to one year in prison after pleading guilty to having spread a version of Petya online. == 2017 Cyberattack ==

On 27 June 2017, a major global cyberattack began (Ukrainian companies were among the first to state they were being attacked Russian president Vladimir Putin's press secretary, Dmitry Peskov, stated that the attack had caused no serious damage in Russia. Oleksandr Kardakov, the founder of the Oktava Cyber Protection company, emphasized that the Petya virus stopped a third of Ukraine's economy for three days, resulting in losses of more than 400 million dollars. Kaspersky dubbed this variant "NotPetya", as it has major differences in its operations in comparison to earlier variants. It was believed that the software update mechanism of —a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware. Analysis by ESET found that a backdoor had been present in the update system for at least six weeks prior to the attack, describing it as a "thoroughly well-planned and well-executed operation". Analysis of the seized servers showed that software updates had not been applied since 2013, there was evidence of Russian presence, and an employee's account on the servers had been compromised; the head of the units warned that M.E.Doc could be found criminally responsible for enabling the attack because of its negligence in maintaining the security of their servers. The IT businessman and chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine. == Operation ==

Petya's payload infects the computer's master boot record (MBR), overwrites the Windows bootloader, and triggers a restart. Upon startup, the payload encrypts the Master File Table of the NTFS file system, and then displays the ransom message demanding a payment made in Bitcoin. Meanwhile, the computer's screen displays a purported output by chkdsk, Windows' file system scanner, suggesting that the hard drive's sectors are being repaired. The "NotPetya" variant used in the 2017 attack uses EternalBlue, an exploit that takes advantage of a vulnerability in Windows' Server Message Block (SMB) protocol. EternalBlue is generally believed to have been developed by the U.S. National Security Agency (NSA); The malware harvests passwords (using a tweaked build of open-source Mimikatz) and uses other techniques to spread to other computers on the same network, and uses those passwords in conjunction with PSExec to run code on other local computers. This characteristic, along with other unusual signs in comparison to WannaCry (including the relatively low unlock fee of US$300, and using a single, fixed Bitcoin wallet to collect ransom payments rather than generating a unique ID for each specific infection for tracking purposes), prompted researchers to speculate that this attack was not intended to be a profit-generating venture, but to damage devices quickly, and ride off the media attention WannaCry received by claiming to be ransomware. == Mitigation ==

It was found that it may be possible to stop the encryption process if an infected computer is immediately shut down when the fictitious chkdsk screen appears, and a security analyst proposed that creating read-only files named perfc and/or perfc.dat and/or perfc.dll in the Windows installation directory could prevent the payload of the current strain from executing. The email address listed on the ransom screen was suspended by its provider, Posteo, for being a violation of its terms of use. As a result, infected users could not actually send the required payment confirmation to the perpetrator. Additionally, if the computer's filesystem was FAT based, the MFT encryption sequence was skipped, and only the ransomware's message was displayed, allowing data to be recovered trivially. Microsoft had already released patches for supported versions of Windows in March 2017 to address the EternalBlue vulnerability. This was followed by patches for unsupported versions of Windows (such as Windows XP) in May 2017, in the direct wake of WannaCry. Wired believed that "based on the extent of damage Petya has caused so far, though, it appears that many companies have put off patching, despite the clear and potentially devastating threat of a similar ransomware spread." Some enterprises may consider it too disruptive to install updates on certain systems, either due to possible downtime or compatibility concerns, which can be problematic in some environments. == Impact ==

In a report published by Wired, a White House assessment pegged the total damages brought about by NotPetya to more than $10 billion. This assessment was repeated by former Homeland Security advisor Tom Bossert, who at the time of the attack was the most senior cybersecurity focused official in the US government. During the attack initiated on 27 June 2017, the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks and metro systems were also affected. Among those affected elsewhere included British advertising company WPP, American pharmaceutical company Merck & Co. (internationally doing business as MSD), Russian oil company Rosneft (its oil production was unaffected), multinational law firm DLA Piper, French construction company Saint-Gobain and its retail and subsidiary outlets in Estonia, British consumer goods company Reckitt Benckiser, German personal care company Beiersdorf, German logistics company DHL, United States food company Mondelez International, and American hospital operator Heritage Valley Health System. The Cadbury's Chocolate Factory in Hobart, Tasmania, is the first company in Australia to be affected by Petya. On 28 June 2017, JNPT, India's largest container port, had reportedly been affected, with all operations coming to a standstill. Princeton Community Hospital in rural West Virginia said it would scrap and replace its entire computer network on its path to recovery. The business interruption to Maersk, the world's largest container ship and supply vessel operator, was estimated between $200m and $300m in lost revenues. The business impact on FedEx is estimated to be $400m in 2018, according to the company's 2019 annual report. Jens Stoltenberg, NATO Secretary-General, pressed the alliance to strengthen its cyber defenses, saying that a cyberattack could trigger the Article 5 principle of collective defense. Mondelez International's insurance carrier, Zurich American Insurance Company, has refused to pay out a claim for cleaning up damage from a NotPetya infection, on the grounds that NotPetya is an "act of war" that is not covered by the policy. Mondelez sued Zurich American for $100 million in 2018; the suit was settled in 2022 with the terms of the settlement remaining confidential. == Reaction ==

Europol said it was aware of and urgently responding to reports of a cyber attack in member states of the European Union. The United States Department of Homeland Security was involved and coordinating with its international and local partners. Democratic Congressman Ted Lieu asked the agency to collaborate more actively with technology companies to notify them of software vulnerabilities and help them prevent future attacks based on malware created by the NSA. On 15 February 2018, the Trump administration blamed Russia for the attack and warned that there would be "international consequences". The United Kingdom and the Australian government also issued similar statements. In October 2020 the DOJ named further GRU officers in an indictment. At the same time, the UK government blamed GRU's Sandworm also for attacks on the 2020 Summer Games. == Other notable high-level malware ==

• CIH (1998) • Stuxnet (2010) • WannaCry (2017) ==See also==