Those traits led researchers to conclude that the virus was a state-sponsored destructive attack, not an act of cybercrime.Īccording to the Ukrainian police, the NotPetya attack started by subverting the update function of that government’s accounting software. And despite displaying the usual signs of a ransomware attack-such as the ransomware demand-wasn’t designed to actually collect any money. NotPetya was narrowly targeted, though quickly grew into a wider threat. That behavior made NotPetya more like a “ransomworm” than a traditional virus. Unlike most malware, NotPetya infected new systems without the user doing anything. Once on a compromised system, EternalBlue exploits a flaw in Windows networking protocols to silently spread across networks. The exploit was developed by-and later stolen from-the U.S. The new variant, also dubbed “NotPetya” because of key differences with the original, spread using an exploit known as EternalBlue. It quickly spread worldwide, crippling businesses and causing more than $10 billion in damages. An external, USB-based hard drive docking station can be used.Though first discovered in 2016, Petya began making news in 2017 when a new variant was used in a massive cyberattack against Ukrainian targets. However, because the infected computer can no longer boot into Windows, using the tool requires taking out the affected hard drive and connecting it to a different computer where the tool can run. If that sounds complicated, no worries: Fabian Wosar from security firm Emsisoft created a simple and free tool that can do it for you. Someone using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.Ĭomputer experts from the popular tech support forum confirmed that the technique works, but it requires extracting some data from an affected hard drive: 512 bytes starting at sector 55 (0x37h) with an offset of 0 and an 8-byte nonce from sector 54 (0x36) offset 33 (0x21). Using data recovery tools to reconstruct files might be possible, but it is not guaranteed to work perfectly and would be time-consuming.įortunately, resorting to that method is no longer necessary, and neither is paying Petya's authors. The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. The MFT is a special file on NTFS volumes that contains information about all other files: their name, size and mapping to hard disk sectors. The program replaces the drive's legitimate MBR code, which normally starts the operating system, with code that encrypts the master file table (MFT) and shows a ransom note. It stood out from other file-encrypting ransomware programs because it overwrites a hard disk drive's master boot record (MBR), leaving infected computers unable to boot into the operating system. Petya appeared on researchers' radar last month when criminals distributed it to companies through spam emails that masqueraded as job applications. Security experts have devised a method that allows users to recover data from computers infected with the Petya ransomware program without paying money to cybercriminals.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |