This is the second massive ransomware-based attack in a few weeks, like WannaCry, the Petwrap ransomware exploits the MS17-010 SMB Remote Code Execution, so-called Eternal Blue, that Microsoft patched in March 2017.
Banks, financial institutions, businesses, energy firms, telecoms and systems in critical infrastructure were infected by the malware, among the victims the giant Maersk that confirmed the attack in an official statement on its Web site:
“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.”
Analyzis conducted by experts revealed that Petwrap also used other tricks to spread inside target networks.
According to the experts at Russian security firm Group-IB, the malware leverages a tool called “LSADump,” which can be used to collect login credentials from Windows computers and domain controllers on the network.
— Group-IB (@GroupIB_GIB) June 27, 2017
While I was writing, there is also news about illustrious victims in the US such as the global law firm DLA Piper that experienced severe issues at its systems.
Which is the attackers’ motivation?
According to security experts the attack presents various anomalies that led the experts into believing that hackers operated for sabotage.
According to Nicholas Weaver, a security researcher at the International Computer Science Institute Petya has been designed to be destructive while masquerading as a ransomware malware.
Weaver highlighted numerous anomalies in the ransomware-based attack, such as the use of a single Bitcoin address for every victim and the fact that the Petwrap operators urge victims to communicate with the them via an email address, while most of ransomware require victims to use Tor for communications.
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” states the Weaver’s comment published by Brian Krebs said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”
Let me suggest to give a look at Yara rules and IOCs published by Kaspersky in the following analysis:
(Security Affairs – Petwrap ransomware , malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.