India among worst hit by Petya virus, says Symantec

29 Jun 2017

The Petya cyberattack that has swept across the globe is much worse than initially thought. Security researchers have come to the conclusion it is not a ransomware, but a 'wiper', with the aim of mass destruction of data. Unlike the earlier WannaCry, the idea here was never really to collect money from victims or enterprises.

The fact that Petya is using not one but multiple Windows vulnerabilities to spread itself is what makes it more dangerous than the WannaCry virus of a couple of months ago. Petya is a crypto-ransomware, which means it is not just locks systems but also encrypts their files.

And, contrary to information minister Ravi Shankar's claims that India is not much affected by Petya, security firm Symantec, maker of the popular Norton anti-virus programme, asserts that India was the worst hit in the Asia Pacific region, and the 7th worst affected country globally.

India's largest container port - Jawaharlal Nehru Port Trust, near Mumbai - was affected by the cyberattacks. Operations at one of three terminals of JNPT have been massively disrupted by the ransomware attack. (See: JNPT hit as new Petya virus sweeps across globe)

"The terminal impacted is operated by Danish shipping giant AP Moller-Maersk, which said separately on Tuesday that the cyberattack had caused outages in its computer systems globally. The Indian port has been trying to clear containers manually, but operational capacity has dropped to a third at the terminal," JNPT chairman Anil Diggikar told Reuters.

BNP Paribas Real Estate, a company which provides property and investment management services, also confirmed on Wednesday that their firm was also a victim of the malware attack. "The international cyberattack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack," the bank told Reuters.

Not about money
The early theory that the attack's motive was simply to make money does not hold water any longer. For one, the attackers used a single bitcoin wallet and a single email account for contact. The email account was suspended soon after the attacks were discovered. While the wallet is still active, it most probably is under close monitoring by law enforcement agencies, making it very difficult for the attacker to collect the payment.

Many reports claim that the motivation behind the attack was political - aimed at disrupting critical infrastructure in Ukraine. The attack affected some of Ukraine's crucial infrastructure such as its airport, central bank and the Chernobyl power plant. Symantec's rival cybersecurity firm Kapersky Labs has reported that 60 per cent of the systems infected globally were located within Ukraine.

Researchers have compared the code of the 2016 and 2017 versions of Petya and come to the conclusion that the latest version is in fact a wiper. This was first reported by Matt Suiche, who is founder of the cyber security firm Comae.

Suiche said in a blogpost, "After comparing implementation, we noticed that the current version of Petya that massively infected multiple entities in Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk."

Staying protected
Experts recommend three major steps to protect yourself from this and most major malware on the internet – all of them fairly obvious to experienced internet users. The first step is installing antivirus software and keeping Windows up to date. While a full-feature paid internet security suite like Kaspersky Internet Security, Norton or ESET Smart Security is recommended, there are many free tools on the market like MalwareBytes and Zamana which are fairly effective. These free tools should be paired with a free antivirus like Avast or AVG.

The second step is to be vigilant. Never open links from emails and sites which you do not fully trust. Always think twice before clicking on anything on the internet. Remember, there are no free lunches in this world - if someone is offering you a thousand dollars, it is probably fake.

The last step is to always keep Windows up to date and for that you need to run a legitimate version of Windows. Pirated operating systems are very vulnerable to cyberattacks.

If Petya hits
If you do get Petya on to your machine, remember it reboots your computer about an hour after infection. The first thing you can do switch the computer off while the machine is rebooting - this might prevent the files from being encrypted and save some of your files.

If the system reboots and a ransom note is displayed, do not pay the ransom. That will be a futile exercise now as the email address given on the note has already been shut down. All you can do is to disconnect your computer from the internet, format your HDD and then re-install Windows and start afresh, putting back all your files if you were smart enough to back them up beforehand.