Petya: What We Know

Petya is the latest strain of ransomware to sweep across the US and Europe crippling multinational corporations and government departments. It is the second major ransomware assault in as many months but is much more targeted and vicious than its predecessor. While Petya has not infiltrated as many machines as WannaCry, it is more dangerous and is utilising the same SMBv1 EternalBlue exploit.

It should be noted there is still limited information about the methods being used by this infection and how we can tackle it.

Initial information regarding this malware shows more advanced distribution methods than WannaCry.  This new Petya malware variant also appears to include password stealing software that ‘may’ be used to attack other computers on the same network.  This means that even if you are patched for the SMB 1.0 vulnerability, MS17-010, you could still be infected with this malware with network based administrative credentials.

How does it work?

The malicious software can spread rapidly through an organisation, once a single computer is infected using the EternalBlue vulnerability, or through two Windows administrative tools. The malware attempts to infiltrate one vulnerability first, if this doesn’t work it will attempt another meaning it can spread more effectively.

The Petya ransomware has caused disruption at large high profile firms across the world including WPP, Maersk, Evraz and Rosneft. The ransomware takes over infected computers locking up the harddrive and all its files, it then displays messages demanding a bitcoin ransom of $300.

Don’t pay your ransom, you won’t get your files back. Those who are infected are asked to send a confirmation of payment to the attacker’s email address. The email address used has now been shut down by the email provider, Poesto, leaving no way for the people to contact the attackers and get the decryption key to unlock their computer.

Who caused it?

It was first reported in the Ukraine where government banks, state power utility, and Kiev airport and metro system were all infected. Security experts in the Ukraine claim the attack was seeded through software updates built into an accounting program that the Ukrainian government need to use.

Should you be worried?

Computers running the most recent update of Microsoft software should be safe. Users are advised to check they are running the latest install and refrain from irresponsible internet use, clicking suspicious links or opening email attachments from unknown sources.

Speak to Aware Microsoft specialists today if you are unsure about versioning or think you are at risk.

How do you protect yourself?

We have an in-depth blog post into how to protect yourself from ransomware here. If you are any doubts please contact Aware today and speak to one of our security specialists.

The rundown to beat Petya:

According to Malware Tech, Petya encrypts after reboot so if you’re infected the files will not be encrypted until the machine is rebooted (the malware sets a scheduled task to automatically reboot after 1h, but you can simply shut down before then to prevent encryption if you know you’re infected).

Patch up: One of the best ways to protect yourself from these attacks is downloading the patches provided by Microsoft during updates.

Backup: It appears that there is no way to get your files back when faced with Petya. The only sure fire solution is adequate back-ups.

Install protection programs: utilise firewalls, anti-virus programs and other protective software.

Be responsible online: don’t click or download anything suspicious. Ransomware infected emails are designed to look legitimate.

Get official products: make sure you are purchasing from the correct sources and can obtain updates.

Don’t download and install cracked software: a recent report in Thailand found that 100% of websites that hosted pirated software left users vulnerable.

User education: your first line of defence, educate your employees and about safe internet use.

This should lay the foundations for organisations to take their IT security more seriously. Just last week Honda Motor company and speed cameras in Australia were hit by WannaCry, a whole 5 weeks after it was released.

If you feel you would like to know more about malware prevention, you can speak to our team who would be happy to assist you. You can simply mail us at info@aware.co.th.

Claim your free Ransomware protection trial here: http://bit.ly/2yffTYW

Tags

What do you think?

Related articles