Remember last month when the WannaCry ransomware attack spread throughout the world, targeting certain Windows operating systems? There's a new ransomware attack happening now that uses the same exploit as WannaCry, and it's possibly even stronger than the previous attack.
It's called Petya, and it seems to have originated in Ukraine when accounting software company MeDoc pushed a malicious update to its software. This carried an updated version of the Petya ransomware which is designed to target the EternalBlue exploit in certain Windows computers, the same vulnerability that WannaCry targeted. It's generally believed that EternalBlue was originally developed by the United States National Security Agency; it was leaked by the Shadow Brokers hacker group earlier this year.
The CHKDSK screen, photo courtesy of @hackerfantastic on Twitter.Petya spread throughout the world today, and it soon became clear that this was a worse attack than WannaCry. The virus is more complex and stronger; it doesn't include some of the weaknesses that WannaCry did, such as poor payment management for the ransoms that it collects. Today, Petya has caused internet outages and inconvenienced businesses, but perhaps its greatest effect has been forcing the Maersk shipping company to shut down. Maersk is the largest shipping company in the world, and the cyberattack took down its IT systems. This compelled the Port of Los Angeles to close its largest terminal.
The best way to protect your computer is, of course, to update its operating system to a more recent version. Microsoft has already patched the EternalBlue vulnerability out of Windows operating systems, but some people and businesses have not yet installed the update. As a result, Petya was able to spread throughout the world in spite of Microsoft already releasing a fix to the vulnerability.
Earlier today, many people believed that the ransomware didn't include a kill switch like WannaCry did, but computer scientists and security experts on Twitter have recently discovered what appears to be a way to halt Petya's encryption function. The ransomware checks for a specific file in the Windows directory; if that file exists, it won't run the encryption. Creating a read-only file called "perfc.dat" in the C:\Windows folder will stop it from running; as a result, you can protect your computer from the virus by creating this file on your own computer.
If your computer is infected, you can still save your files. Upon infection, Petya will warn users with a "CHKDSK" message that disguises its file encryption. User Hacker Fantastic found that if you do not let the computer proceed past this message, you can turn off your computer, prevent the virus from completing the encryption, and recover your files via an external machine or a Live CD.