WannaCry and Petya Ransomware: What are the Similarities?

Image via New York Times

Image via New York Times

While the WannaCry ransomware, which struck in May 2017, and the highly destructive Petya variant, which struck in June 2017, have some similarities, they also have several differences. Most notably, WannaCry was truly ransomware. This recent Petya variant was not ransomware, but instead a wiper disguised as ransomware. Unlike ransomware, wiper malware is designed to destroy systems and data; the attacker offers no option for recovery. Below is a more detailed explanation of the similarities and differences between these two types of malware.

Similarities:

Both Petya and WannaCry targeted systems that are Windows OS only. They both included the EternalBlue exploit, which takes advantage of an SMB vulnerability to rapidly propagate through a network. The use of this exploit provided both types of malware with worm capabilities, helping attackers maximize the damage. This vulnerability was patched by Microsoft prior to the WannaCry attacks.

Following the encryption, victims of both were shown a screen that informed them they had been hacked and demanded a ransom, paid in BitCoin, to retrieve their data.

Differences:

The differences outweigh the similarities when it comes to these attacks.

In addition to using the EternalBlue exploit, Petya also used the EternalRomance vulnerability, which enables remote privilege escalation on certain versions of Windows. This vulnerability was also patched by Microsoft, but the patch did not protect victims from the Petya variant.

Following the initial infection, WannaCry malware required a connection with the attacker’s Command and Control server (C2) before it could execute. If a connection could not be established, WannaCry could not execute. The Petya variant, however, was different. The Petya variant was able to execute, spread and encrypt without connecting to the C2.

Based on the encryption characteristics of these two types of malware, it’s clear that there were two very different intents. The intent of WannaCry was sheer financial gain. While victims could potentially lose data if they did not have recent backups and were not willing to pay the ransom, the data still was recoverable. In the case of this Petya variant, the intent was wide scale system destruction to disrupt operations within business and government organizations. Data on infected systems could not be easily recovered and the corruption of the Master Boot Record and Master File Table made it incredibly difficult, if not impossible, to restore the impacted systems to a usable state.

This Petya variant was much stronger and much more malicious than the WannaCry ransomware as you can see above.

For more reading on Petya and WannaCry, check out our blog.

(Story via Quora)