The Petya Cyber-Attack

Mohan Babu
Mohan Babu is Research Intern with Strategic Technologies Centre at the Institute for Defence Studies and Analyses (IDSA), New Delhi. read more

On 27 June 2017, the computer servers of many companies and organisations in Europe and the United States of America (USA) were paralysed by a ransomware cyber-attack dubbed as “Petya”. The Danish shipping giant A.P. Moller-Maersk, Britain’s advertising agency WPP, Ukraine’s banks, power grid and international airport, the US pharmaceutical company Merck and co., Russia’s banks and its major oil producing company ROSFNET were all hampered by the mass scale cyber-attack.1

All the affected computers displayed a ransom note in which the attackers demanded US$ 300 in bitcoin currency as a ransom.2 Most of the damage caused by the Petya ransomware was on Ukrainian systems, which led to the crippling of operations of its metros, and even the Chernobyl power plant was forced to switch the radiation-sensing systems to manual mode.3 The attack on the systems at Maersk also affected operations at one of the three terminals of India’s largest container port, the Jawaharlal Nehru Port Trust, where Maersk operates the Gateway Terminals India (GTI).4

This attack came a month after two other major ransomware attacks. One of these was the “Wannacry” ransomware cyber-attack, which crippled more than 10,000 organisations and 200,000 individuals in over 100 countries.5 The other was the “Erebus” ransomware attack in South Korea, which forced the webhosting organization “Nayana” to pay around $1.5 million (397.6 bitcoin) as ransom to retrieve the data of its customers.6

Ransomware is a malware that prevents the user from accessing the system. It does so either by encrypting the files (Crypto-ransomware) or by locking the system’s screen and thus denying access to the device itself (Locker-ransomware). Ransomware was deployed as a tool for cyber-attack for the first time in 1989 when the AIDS trojan was released through snail mail using 5¼” floppy disks. AIDS, also called PC Cyborg, replaced the “AutoExec.bat” file used in Windows. Once an infected machine booted 90 times, the malware would begin hiding directories and encrypt filenames on the “C:” drive. Once completed, the target would be asked to renew their license by contacting a random “PC Cyborg Corporation”. Upon contacting, they would then be instructed to send the payment to a post office box located in Panama.7 Although the clear motive for the attack has remained vague thus far, a disk labelled “AIDSOUT” that contained the tools for system restoration was released. 8 The type of cryptography used by the attacker was symmetric cryptography,9 hence computer experts who analysed the malware were able to easily reverse it.

In 2005, a new ransomware called “Gpcode” was developed but its weak cryptographic algorithm meant it also could be decrypted easily.10 From 2009 until early 2013, locker ransomware was the most commonly deployed tool to extort money. In 2012, the Reveton ransomware or the FBI Moneypak scam was used to impersonate the US Federal Bureau of Investigation in order to scare victims into paying money.11 Victims were psychologically manipulated into giving up confidential information like bank account numbers or passwords through social engineering. But these attacks became less successful as people started becoming aware of malwares and security solution companies started strengthening systems using tools that could shunt the effects of locker ransomware.

This forced cyber criminals into developing more sophisticated malware, which eventually resulted in the crypto ransomware. Unlike locker ransomware attackers, crypto ransomware attackers are generally upfront with their demands and intentions. An extortion message stating that the data would be given back upon payment of a ransom amount is displayed on the screen.

Of late, the target computer systems for crypto ransomware attacks have been those of Microsoft and Linux, where a vulnerability in the software is exploited using an infection vector. In the May 2017 Wannacry ransomware attack, the attackers used “Eternalblue”12 (a cyber weapon developed by USA’s National Security Agency [NSA] to break into any network of computers) as the infection vector to spread the virus.13 Although Microsoft Windows issued an emergency patch to protect devices using the Windows operating system, the attack was halted after the accidental discovery of a kill switch in the ransomware’s code. 14

Like Microsoft Windows, Linux too has points of vulnerabilities as evident in the case of South Korean ransomware attacks. Nayana’s Linux servers were targeted by the “Erebus ransomware”. However, unlike in the case of Microsoft, the difficulty in finding a kill switch to neutralise Erebus and normalise the Linux servers forced the company to pay ransom to the attackers.

Petya used the same exploits as Wannacry, but the difference between the two is that Petya does not have an in-built kill switch. However, a “vaccine” has been found for Petya by Cyberreason’s security researcher Amit Serper. 15 Windows users can create a read-only file called ‘perfc’ in the “Windows” folder inside “C:” drive, which will stop Petya from even infecting the computer.

Most attacks prior to Petya were carried out by criminals for financial gain, but some characteristics of the Petya malware have led to doubts as to whether the culprits are criminals or state actors. Firstly, despite creating mayhem throughout the globe, the attackers who deployed Petya could amass less than $10,000 in bitcoin (roughly 3.7 bitcoin).16 These numbers are meagre for a ransomware attack carried out on such a large scale given that, last year alone, ransomware attackers pocketed $100 billion. Also, the email that was given to the victims to provide proof of payment was taken down on the first day of the attack itself, which made it impossible to transfer bitcoins or any type of cryptocurrency as ransom.17 Secondly, the Petya attacks happened a day before Ukraine’s constitution day. According to the antivirus company Kaspersky, 60 per cent of the impact was on Ukraine.18 This has led to Ukraine blaming the Russian security services for the attack. Kiev has based its accusation on the fact that Russia-based hackers have been carrying out sustained attacks on Ukraine’s infrastructure, cutting off the electricity supply to most parts of Ukraine, first in December 2015, and again in 2016, by hacking into the country’s power gird.19 This might just be circumstantial evidence because Russia’s largest oil conglomerate ROSNEFT was also hit by Petya. This only serves to highlight the difficulties with attribution and thus the difficulties involved in tracing the attackers.

Whoever might have been behind the attacks, the shift in motives has become evident. Ransomware attacks have started targeting both governmental and non-governmental critical infrastructure agencies such as banks, airports, power grids, telecom networks, etc. This calls not just for more user awareness on the micro level but for collective cyber security mechanisms at a global level. Ransomware has the ability to sabotage operations at multiple targets at the same time. Therefore, state intelligence agencies and Information and Communications Technology (ICT) related security companies around the world must come together to aid each other in information sharing and joint analysis of threats. This would eventually strengthen coordination and shared situational awareness, paving the way for proactive cyber security policies around the world.

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.