Petya virus spreads from Europe to Asia


The latest threat in cyberspace, dubbed as “Petya” has spread to Asia after targeting businesses and organizations in Europe, a security firm said on Friday.

“We see that cyber attackers are compromising businesses and individuals in Asia with continued success. While the threat may have started in Eastern Europe, it has quickly spread across the world within a short time,” Symantec Corporation told The Manila Times in an email.

“Manufacturing organizations, which are highly concentrated in Asia, are particularly at risk as most do not apply updates as swiftly as corporate entities. This makes them especially vulnerable to rapid infections and complete shutdowns,” it added.

Top 20 countries based on numbers of affected organizations. Screenshot from Symantec website

An article from Bloomberg News reported that shipping authorities in India reported that the AP Moller-Maersk at the Jawaharlal Nehru Port Trust, the country’s biggest container port, was unable to operate, while the Gateway Terminal India failed to identify which shipment belongs to whom because of the Petya virus that locked their systems in exchange for $300 bitcoin.

“Petya attempts to encrypt a set of files that have specific extensions. The attacker then demands Bitcoin payment worth $300, which must be transferred to a single wallet. The victim then needs to send the payment notification over to an email address,” Symantec explained.

In its website, Symantec urges users not to pay the ransom as there is no assurance that their files will be restored.

It noted in the interview that Petya is “accurately more wiper rather than ransomware,” explaining that the “installation key” is just a randomly generated string of numbers displayed to the user, while a randomly generated Salsa20 key is used for disk encryption.

“There is no relationship between the installation key and the Salsa20 key, therefore the disk can never be decrypted,” Symantec said.

The security firm detected on June 27 the penetration of the new strain and confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya. Proving this, Symantec data showed Ukraine is the hardest hit as MEDoc is widely used in there.

“Petya has been affecting multiple countries, especially those in Eastern and Western Europe. Similar to WannaCry, Petya is gaining prevalence in specific time zones and geographical areas, which have relatively earlier wake times. The ransomware then moves across time zones as more people go online during the day,” it said.

“At present, the attack is very broad-based and we continue to see organizations of all types fall victim to this attack. While it may not necessarily be a targeted attack, we do see industrial networks suffer significantly; where machines that control production systems are being locked up by cyber criminals,” it continued.

Symantec also said that the same digital weapon Eternal Blue was used by WannaCry to attack over a hundred countries in May this year.

“One of the ways in which Petya propagates itself is by exploiting the MS17-010 vulnerability, also known as Eternal Blue. It also spreads by acquiring user names and passwords and spreading across network shares,” it said.

Symantec stressed that even though an organization has been patched against Eternal Blue, Petya also uses classic server message block network spreading techniques that can allow it to spread within organizations.

Meanwhile, Symantec said, “While Petya is currently more prevalent in the Western region, it can potentially spread to other countries, including the Philippines through alternative means such as social engineering exploits. It is important that all consumers and organizations ensure that their systems are up to date, installed with updated security software and show discretion when receiving unsolicited email.”

Symantec also offers its Symantec Endpoint Protection and Norton products that proactively protect consumers against attempts to spread Petya using Eternal Blue.


Please follow our commenting guidelines.

Comments are closed.