A growing number of cybersecurity firms, including BitDefender, Kaspersky Lab and Symantec, along with a cohort of independent cybersecurity researchers, say that the quickly spreading ransomware variant, known as Petya, is proliferating in part due to two previously leaked NSA hacking tools, codenamed EternalBlue and EternalRomance.
This is not the first time in recent months that hackers combined leaked NSA computer code with ransomware to make their attacks more potent.
Some researchers disagree on how to define the quickly spreading malware; with various security experts calling the ransomware a variant of Petya, or GoldenEye, and others explaining it as an entirely different computer virus. Regardless, commonalities do exist and incidents involving what appears to be the same “Petya” ransomware were reported Tuesday across most of Europe.
Petya is believed to be more complex than a similar recent attack known as WannaCry, which was also powered by EternalBlue; although in a slightly different fashion. In both cases, the virus locked up infected computers by encrypting files until a bitcoin payment was received. However, most of the similarities end there.
Unlike WannaCry, Petya spreads on the local subnet. After completion, it reboots and encrypts a computer’s hard drive. The Petya outbreak was more limited than WannaCry because the ransomware appears to have not been designed to spread across the open internet, but rather within isolated networks.
It’s not entirely clear how Petya originally penetrated into some affected organizations. There are competing theories, with different incidents providing new cases. As a result, the initial infection vector is still a hotly debated topic.
In Ukraine, the country hardest hit by Petya, the ransomware was likely spread through an accounting software update pushed out by MeDoc, according to Cisco and Kaspersky Labs. The virus may also be getting into companies via phishing emails, according to IB Group.
While researchers say EternalBlue is helping propagate Petya, there is evidence to suggest that the malware is also simultaneously using elements of two mutated Microsoft-specific system admin tools — namely WMI and PSEXEC — to execute other remote commands, allowing the virus to automatically move across a network, scrap account login credentials and ultimately infect more local machines.
The net effect is a quickly spreading variant of ransomware that is harder to stop than WannaCry because it can compromise patched systems.