The “Petya” cyber attack has hit Africa, South Africa’s 702 Radio has reported. According to the media outlet, several companies in the country could have suffered from the attack that started in Ukraine earlier this week. The malware has hit several organisations in Europe and America, and is now being felt in Africa as well as in some parts of Asia.

How Petya Works

The ransomware targets networks belonging to large organisations and companies. In most cases, it attacks machines that run on Microsoft Windows. Just like WannaCry, Petya leverages the EternalBlue vulnerability in order to infect system files.

After rapidly infecting them, the malicious program starts to install. Then, it forces the machine to reboot and attacks Window’s vulnerabilities in order to encrypt all files. When it cannot compromise the computer through the weakness, Petya attacks Windows administrative tools. It then demands that victims pay $300 worth of bitcoin. The note on the dashboard has a Bitcoin address where victims are supposed to send the money. After settling the ransom, victims are required to send an email requesting a 12 character digital key for decryption.

Petya Reincarnate?

‘Petya’ is not the real name, because the ‘original Petya’ hit back in March 2016. After the first few reports, many users thought it was a reincarnation of the old version and thus named it ‘Petya’. Later, Kaspersky Lab redubbed it ‘NotPetya’. Other names that the malware has gained include Pneytna and Petna. Romanian’s security firm BitDefender named it Goldeneye. By then, the name ‘Petya’ had already gone viral. ‘NotPetya’ is the name widely used to refer to this attack.

Another WannaCry?

The NotPetya attack is barely two months after WannaCry hit several companies in Africa. After the NSA had warned that WannaCry was exploiting EternalBlue to attack Microsoft’s products, the company reiterated by announcing a fixing update for all Windows versions. But few users have updated their operating systems.

EternalBlue is a hacking weapon widely believed to have been created by the NSA. A secret group called the Shadow Brokers leaked it online in early 2017. According to Symantec, both WannaCry and NotPetya ransomware exploited the vulnerability. The agency traced the WannaCry attackers to North Korea.

But Maya Horowitz from the Threat Intelligence says

“Unlike other ransomware types, Petya does not encrypt files on infected machines one by one. Instead, it locks up the entire hard disk drive.”

Antivirus Response

Symantec and Kaspersky are some of the leading antivirus companies that claim to detect and protect devices against ‘Petya’ infections. The companies urge their users to update the security software for the new provision. Also, Microsoft in March fortified their Window’s security tools to patch the ExternalBlue vulnerability.

According to The Register Newspaper, some advanced Windows users have already discovered that the NotPetya outbreak looks for the C:\Windows\perfc.dat read-only file. It does not install on PCs where the file is present, but instead, it spreads out to other computers within the network.

Spreading Like Mushroom in Fall

As The Guardian quotes Proofpoint’s Ryan Kalember, the malware “has a better mechanism for spreading itself than WannaCry.”

Barely a few days after being reported in Ukraine, ‘NotPetya’ is moving fast to other parts of the world. It has disrupted large corporations in Europe and the United States. Companies such as WPP advertising company, Saint-Goban and Russia’s oil and steel leaders Rosneft and Evraz are some of the victims. Others include the DLA Piper law firm, Heritage Valley Health System and AP Moller-Maersk. It is also believed to have brought operations at Indias largest container port, JNPT, to a standstill.

On Wednesday, the ransomware was reported to have hit South African companies. The country’s Radio 702 announced that some local firms could have been infected.

What to Do If Affected

The NotPetya ransomware infects computers and then reboots to install it. During the installation, the malicious software starts to encrypt your files. Victims and researchers say that after the attack, the malware takes an hour before rebooting. So, @HackerFantastic on Twitter came up with a clever way of protecting files. The user tweeted;

‘If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine.’

If you switch off your computer while it is rebooting, you can stop the encryption process. Although the machine may still end up getting infected, your files will be safe.

If it is too late and the PC is already encrypted, then you will get a note demanding that you pay the ransom. There’s no need wasting your time and money paying the ransom. The attacker’s web provider has blocked the ‘support’ email address provided by the attackers. This means that you cannot contact them to send the key to unlock your files.

Instead, take the device offline, format the hard disk and then reinstall all your files from a previous backup. It is wise to back up files regularly to circumvent such attacks.

Who Is Behind NotPetya?

After the first few hits, pundits noted that the attack was too substandard to have come from expert criminals. In fact, some even claimed that the hacker could be an amateur trying to take advantage of a leaked cyber weapon.

The first indication was that the bitcoin address provided was the same for every victim. In other serious hacking encounters, hackers indicate customised addresses for each target. In addition, the malware has only one email address which serves as ‘customer care service’. The suspension of the email address by the provider shows how shoddily the attack had been planned.

But recent findings project to something bigger than just an attack from a cyber-criminal. In an interview with the Krebs on Security, online safety expert Nicholas Weaver said that Petya is a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.” This is because the malware’s code has been modified to ensure that any changes made to a computer’s files are irreversible. This makes it different from regular ransomware.

Although it is not clear enough, security researchers say that the attack is a destructive malware that may be targeting Ukrainian government institutions, but masquerading as a mere ransomware. One of those who hold this view is pseudonymous researcher Grugq, who acknowledges that this malware is different from the old version of Petya. Grudg notes that Petya “was a criminal enterprise for making money.”

The pundit draws the difference between the old Petya and the new NotPetya. “The new is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware,” he adds.

On his blog, Grudg also notes that the payment method was too unrealistic, and no serious hacker could code such a thoughtful malware only to blow up the payment plan. He points out that it would be careless for a malicious coder to indicate a single traceable payment address and lockable email address. The blogger also finds it stupid that the hacker requires victims to email them for the computer’s 60-character unlocking key. According to Grudg, this is the same as ‘send a personal cheque to Petya Payments, PO Box … ’

Why Ask Ransom in Bitcoins?

Most ransomware attacks demand payment in the form of bitcoins. The hackers result to the cryptocurrency due to its pseudo-anonymity. Cyber attackers are smart, and they understand that using their bank accounts or credit cards will get them arrested in no time. Hence, to remain unknown, Petya attackers demand that $300 be paid to their bitcoin address.

Like WannaCry before it, Petya is a wakeup call for African organisations to take cyber security seriously. A number of government authorities are already helping companies to stay safe. In a press statement, the Communication Authority of Kenya (CA) outlines the online security measures that organisations and individuals ought to take. A similar statement has been issued by Nigerian authorities.