India being worst affected is a fact for sure. But it is more technical than anything significant
“India is worst affected in Asia in Petya Cyberattack” went a headline. “ India worst hit by Petya in APAC, 7th Globally”, went another. There have been several stories in last one day in Indian media over the Petya ransomware attack that seems to have its epicenter in Ukraine.
Guess what. All these headlines are correct. Security major, Symantec, which is the basis of all these stories, indeed issued a statement showing the top impacted countries. On the basis of that, India seems to have 18 organizations that have been impacted by Petya, the same number of organizations as Germany and the UK and is slightly ahead of China and Japan.
Yes, being ahead of China and Japan, which are larger markets, is not a thing to celebrate. But is it such a big thing to make hue and cry over it?
“If you look at the numbers, they are really small for a country of the size of India,” said a security and regulation expert who did not want to be named. They really are.
While Symantec has reported that the malware has impacted 18 organizations, it has not reported the number of machines affected. No major large scale impact reported by Indian companies other than Jawaharlal Nehru Port Trust, India’s largest container port, operated by Danish shipping major, AP Moller-Maersk. Business Standard reported that Indian operations of WPP’s Group M and chocolate maker, Mondelezz were impacted too.
Most likely, there has not been severe impact on any organization. “In India, so far we have no cases of Petya that have been reported to us. The countries most affected are Europe, typically Ukraine and Russia,” said Sharda Tickoo, Technical Head, India, Trend Micro, another major security firm.
However, Tikoo warned not to take it less seriously. Referring to comparisons that are being drawn between WannaCry and Petya, she said, “WannaCry was a very basic form of ransomware attack and it used worm like techniques. Petya seems to be a thorough ransomware which uses different modalities. It is using EternalBlue vulnerability. It leverages multiple infection vectors, not just one.”
The Petya ransomware modifies the Master Boot Record (MBR) and encrypts the system files. Once the MBR is modified by this ransomware, the system displays the ransom note instead of a black or blue screen. While the normal ransomware does not touch the MBR but encrypts files and asks for ransom. The Petya ransomware is a combination of a wiper and a ransomware, because it wipes the MBR, explained Trend Micro.
“Similar to WannaCry, Petya uses the EternalBlue exploit as one of the means to propagate itself. However, it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue,” said Symantec.
Symantec said Petya uses two primary methods to spread across networks:
- Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
- SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.