What is the Petya ransomware attack, and how can it be stopped?
Companies have been crippled by an attack dubbed Petya, the second major ransomware crime in two months. Olivia Solon answers the key questions
Many organizations in Europe and the US have been crippled by a ransomware attack dubbed Petya. The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.
Its the second major global ransomware attack in the last two months. In early May, Britains National Health Service (NHS) was among the organizations infected by WannaCry, which used a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents released online in April by a hacker group calling itself the Shadow Brokers.
The WannaCry or WannaCrypt ransomware attack affected more than 230,000 computers in over 150 countries, with the UKs national health service, Spanish phone company Telefnica and German state railways among those hardest hit.
Like WannaCry, Petya spreads rapidly through networks that use Microsoft Windows, but what is it, why is it happening and how can it be stopped?
What is ransomware?
Ransomware is a type of malware that blocks access to a computer or its data and demands money to release it.
How does it work?
When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims dont have a recent back-up of the files they must either pay the ransom or face losing all of their files.
How does the Petya ransomware work?
The Petya ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesnt work, it tries the next one. It has a better mechanism for spreading itself than WannaCry, said Ryan Kalember from cybersecurity company Proofpoint.
Where did it start?
The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian Cyber Police. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities and Kievs airport and metro system. The radiation monitoring system at Chernobyl was also taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plants exclusion zone.
How far has it spread?
The Petya ransomware has caused serious disruption at large firms in Europe and the US, including the advertising firm WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft. The food company Mondelez, legal firm DLA Piper, Danish shipping and transport firm AP Moller-Maersk and Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.