WannaCry vs. Petya
Damage from the WannaCry outbreak a few months ago put most organizations on high alert. Those that got infected, learned their lesson the hard way about properly securing their systems. Those that didn’t, either took the opportunity to properly protect their networks so they weren’t the next victim, or they sat by and did nothing. Well, here we are only a few short months later and Petya is wreaking havoc. WannaCry was truly ransomware, a malicious form of software that uses encryption to hold data hostage until a ransom is paid. However, this recent Petya variant was not ransomware, but instead a wiper disguised as ransomware. Unlike ransomware, wiper malware is designed to destroy systems and data; the attacker offers no option for recovery. Both WannaCry and Petya variants targeted systems running the Windows OS and both also used EternalBlue to exploit SMB organizations and rapidly infect their networks. After the malicious encryption, both inform the infected users and demand a ransom to recover the data. Although in theory they sound similiar, they are very different and Petya is much more dangerous.
The Petya variant also includes the EternalRomance vulnerability, which enables remote privilege escalation on certain versions of Windows. Although Microsoft had a patch, Petya was able to exploit the vulnerability. This is important to understand because just months prior, we learned that if systems were patched properly, WannaCry failed to infect those. However, those same organizations would not be protected from Petya. Here are a couple other key differences between the 2:
- WannaCry can’t execute if a connection with the attacker’s Command and Control server (C2) isn’t established. Petya variant can execute, spread and encrypt without connecting to the C2.
- WannaCry only spreads by using the SMB vulnerability, Petya uses that, as well as native remote administrative tools such as PsExec and WMIC to spread. Giving Petya more tools to grow and infect.
- WannaCry encrypts data files on infected machines using asymmetric RSA 2048-bit encryption. The Petya variant does the same, but also encrypts and corrupts the Master Boot Record (MBR) and Master File Table (MFT). The private key used for encryption is randomly generated, so the attackers have no way of knowing what that key is to restore data even if the ransom is paid.
WannaCry ransomware was truly created for financial gain. The data is able to be recovered if you pay the ransom. It’s pretty straightforward, as are most strands of ransomware we have seen. The intent with the Petya variant was wide scale system destruction to disrupt operations within business and government organizations. Data on infected systems could not be easily recovered and the corruption of the MBR and MFT made it incredibly difficult, if not impossible, to restore the impacted systems to a usable state.
Both WannaCry and Petya are real threats that are still out there and more of their kind will be appearing in the future. The best way to protect your network and data is by making sure you have a complete and up-to-date security solutions. 2W Tech has IT Consultants on staff that specialize in security solutions and would be happy to work with your organization to make sure you are protected from any and all outside threats. Give us a call today.
Don’t Be Extorted eBook
Enjoyed reading this article? Click the button below to download this asset.