A type of ransomware known as Petya and Petrwrap began spreading internationally on Tuesday. Reported victims so far include Ukrainian infrastructure like power companies, airports, public transit, and the central bank, as well as Danish shipping company Maersk, the Russian oil giant Rosnoft, and institutions in India, Spain, France, the United Kingdom, and beyond.
What makes the rapid escalation of Petya both surprising and alarming is its similarity to the recent worldwide WannaCry ransomware crisis, primarily in its use of NSA exploit EternalBlue to spread through networks.
Petya is not a surprise.
The WannaCry ransomware attack was unique, in that it was very good at one thing and very bad at another. This bug propagated itself rapidly from system to system using the NSA “EternalBlue” exploit. Technically, WannaCry was a worm, which makes it very different than past ransomware attacks, which are typically delivered via email and phishing exploits.
The second way in which WannaCry (and now Petya) was unique, is that it made no money. Make no mistake – ransomware is an organized, well-funded industry, and exists to make money, which WannaCry failed to do.
While it’s too soon to tell, my guess is that cyber criminals (probably in Eastern Europe or Russia) took EternalBlue, wrapped it in a modified version of WannaCry’s propagation engine, and also gave it the ability to earn some major Bitcoins, and now we have Petya.
If I was a black hat hacker, that is exactly what I would have done with this little gem.