EternalPetya Ransomware Attack Explained by McAfee Technical Support UK

Angelina Watson
Jul 25, 2017 · 3 min read

There is no stoppage to the malicious efforts of cyber criminals which are made to infect a victim’s computer and draw maximum advantage from it. Amongst their diverse tools — deleterious applications, ransomware has become a favorite choice. From a malicious intent, ransomware programs are very effective as they possess encryption algorithm that is used to either encrypt files of a computer or block access to the entire operating system. The criminals behind the ransomware infection ask the victim to pay ransom in return for a decryption key. Due to this harmful characteristic, the ransomware attacks have become common nowadays and through this article, McAfee Technical Support UK has made an attempt to explain one such recent attack of EternalPetya, a type of ransomware.

Following the large-scale attack of WannaCry ransomware that occurred in the month of May, computer systems located in and around Ukraine encountered another piece of ransomware in the following month of June. Based on the type of infection it did on victims’ computers and helping tools it used to spread to other computers, the piece of ransomware was named EternalPetya. To successfully carry out its attack the criminals behind it infiltrated M.E.Doc, a Ukrainian software company, and while remaining undetected they were able to leverage a number of resources that eventually granted them access to the source code of M.E.Doc software and its update mechanism.

The M.E.Doc firm creates and distributes accounting software applications that are primarily prepared for the residents and business companies of Ukraine. The software also had users outside the country and hence it was used by a large portion of Ukrainian population and people and organizations outside Ukraine.

Using the source code information, the cyber crooks inserted a ransomware code inside the software along with exploit programs that were meant to help the ransomware in spreading to other computer systems. Access to the update mechanism assisted the criminals in understanding and exploiting the procedure through which software updates were sent to the software users. On June 27th, the criminals, still being undetected, distributed the compiled version of the software having malware to all its users. The computer systems that were configured to accept and install updates got readily infected.

Further, McAfee Antivirus Support UK has found that the ransomware code was programmed to utilize EternalRomance, EternalBlue, and DoublePulsar which are types of exploit programs. These exploit codes enabled the spread of the ransomware to other computers present on the network. It is important to note here that, EternalBlue exploit program, which was designed to abuse the flaw in the communication protocol of Windows OS, was also used in the attack of WannaCry ransomware. EternalPetya ransomware blocks the access to an operating system by encrypting the Master File Table (MFT) and the Master Boot Record (MBR). Both these are vital to the booting process of an OS as they hold details of the locations of important files, present on a computer disk. Thus, without a proper configuration of both these files, computer systems can’t boot properly.

EternalPetya ransomware is closely related to the Petya family of ransomware. Petya ransomware blocks the user’s access to a complete system by infecting low-level structures present on the disk. Petya has 4 official versions released by its authors Janus Cybercrime Solutions and 2 unofficial releases that are PetrWrap and EternalPetya. PetrWrap is a fully-functional ransomware while EternalPetya seems unfinished on purpose because the key used by it to encrypt MFT cannot be recovered. It means once encrypted, data on the victim computer cannot be decrypted, even by its authors.

To prevent such malware attacks computer users should have an advantageous anti-malware application, installed on their computer. An effective malware protection adds extra layers of security to the computer to prevent any sort of communication with a harmful program. The addition of updates to the computer system also prevents malware attacks as security flaws of the system are corrected by software patches. To gain insight into different types of ransomware and how to prevent their attacks contact McAfee Support UK.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade