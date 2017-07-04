How similar are WannaCry and Petya Ransomware? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.

Answer by IBM Security's Wendi Whitmore, Global Partner & Lead, IBM X-Force Incident Response & Intelligence Services (IRIS) and Steve Stone, Global Lead-Intelligence Services, X-Force IRIS, on Quora:

“While the WannaCry ransomware, which struck in May 2017, and the highly destructive Petya variant, which struck in June 2017, have some similarities, they also have several differences. Most notably, WannaCry was truly ransomware, a malicious form of software that uses encryption to hold data hostage until a ransom is paid. This recent Petya variant was not ransomware, but instead a wiper disguised as ransomware. Unlike ransomware, wiper malware is designed to destroy systems and data; the attacker offers no option for recovery. Below is a more detailed explanation of the similarities and differences between these two types of malware.

Similarities:

Both WannaCry and the recent Petya variant targeted systems running the Windows OS only. In addition, both included the EternalBlue exploit, which takes advantage of an SMB vulnerability to rapidly propagate through a network. The use of this exploit provided both types of malware with worm capabilities, helping attackers maximize the damage. Note, this SMB vulnerability was patched by Microsoft in MS 17-010, prior to the WannaCry attacks.

Following the malicious encryption, victims of both types of malware were presented with a screen that informed them of the encryption and demanded a ransom, paid in Bitcoin, to retrieve the data.

Differences:

WannaCry and this variant of Petya have more differences than similarities, and the Petya variant was far more destructive.

Vulnerabilities exploited: In addition to using EternalBlue, the Petya variant also included the EternalRomance vulnerability, which enables remote privilege escalation on certain versions of Windows. This vulnerability was also patched by Microsoft in MS 17-010, yet patching did not protect victims from the Petya variant.

Patch protection: In the case of WannaCry, individuals and organizations whose systems were up to date with the latest patches were immune. WannaCry required EternalBlue and failed if the vulnerability had been remediated. That was not the case with the Petya variant. Individuals and organizations who had applied all the relevant patches were still able to be infected.

Malware execution: Following the initial infection, WannaCry malware required a connection with the attacker’s Command and Control server (C2) before it could execute. If a connection could not be established, WannaCry could not execute. The Petya variant, however, was different. The Petya variant was able to execute, spread and encrypt without connecting out to the C2.

Lateral movement: While both types of malware attempted to spread using an SMB vulnerability, the Petya variant did not require the SMB vulnerability to spread. If the SMB route failed, the Petya variant was able to achieve lateral movement by harvesting credentials from the infected system and using PsExec and WMIC (native remote administrative tools) to gain access to other systems on the network.

Encryption: WannaCry encrypted data files on infected machines using asymmetric RSA 2048-bit encryption. The attackers held the decryption keys on the C2 and were able to provide them to victims after the ransom was paid. The Petya variant encrypted not only the data files but also encrypted and corrupted the Master Boot Record (MBR) and Master File Table (MFT). The private key used for encryption was randomly generated, and the attackers had no way of knowing what that key was. Thus, even if a ransom was paid, the attackers had no way to provide the correct decryption key to restore data.

Intent and impact: Based on the encryption characteristics of these two types of malware, it’s clear that there were two very different intents. The intent of WannaCry was sheer financial gain. While victims could potentially lose data if they did not have recent backups and were not willing to pay the ransom, the data still was recoverable. In the case of this Petya variant, the intent was wide scale system destruction to disrupt operations within business and government organizations. Data on infected systems could not be easily recovered and the corruption of the MBR and MFT made it incredibly difficult, if not impossible, to restore the impacted systems to a usable state.”

Any information IBM provides is not legal advice.