As noted, in order to perform this kind of high-level bad behavior, Petya needs the user to gullibly agree to give permission to make admin-level changes. A couple of months after Petya first began to spread, a new version appeared that was bundled with a second file-encrypting program, dubbed Mischa. Mischa kicks in if the user denies Petya admin-level access; it's only a garden-variety piece of ransomware, just encrypting individual files. (Unusually, it also encrypts .exe files, which may end up interfering with the victim's ability to pay the ransom.)
Petya was thus at first just another piece of ransomware, with an unusual twist in how it encrypted files. But in June of 2017 that all changed radically. A new version of the malware began spreading rapidly, with infection sites focused in Ukraine, but it also appeared across Europe and beyond. The new variant spread rapidly from computer to computer and network to network without requiring spam emails or social engineering to gain administrative access; the radical advances in its capabilities led Kaspersky Lap to dub it NotPetya, a name that stuck.
The NotPetya virus superficially resembles Petya in several ways: it encrypts the master file table and flashes up a screen requesting a Bitcoin ransom to restore access to the files. But there are a number of important ways in which it's different, and much more dangerous:
- NotPetya spreads on its own. The original Petya required the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine. Having infected computers from Medoc’s servers, NotPetya used a variety of techniques to spread to other computers, including EternalBlue and EternalRomance, two exploits developed by the United States NSA to take advantage a flaw in the Windows implementation of the SMB protocol. It can also take advantage of a tool called Mimi Katz to find network administration credentials in the infected machine's memory, and then use the PsExec and WMIC tools built into Windows to remotely access other computers on the local network and infect them as well.
- NotPetya encrypts everything. The NotPetya malware goes far beyond the original Petya trick of encrypting the master boot record, going after a number of other files to seriously screw up your hard drive.
- NotPetya isn't ransomware. This is in fact the most shocking — and important — thing about NotPetya. It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet. For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.
Sign up for CIO Asia eNewsletters.