Just as we were all recovering from ‘WannaCry’ the world got hit with yet another ransomware attack, ‘Petya’.
Petya is a crypto-ransomware, which means it doesn’t just lock systems but also encrypts their files and it targets Microsoft Windows-based systems, which overwrites a Windows computer master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system. The malicious software spreads swiftly throughout a company using the EternalBlue vulnerability in Microsoft Windows, Microsoft has released a patch, but not everyone would have installed it yet, or through two Windows administrative tools.
This means that even if companies have patched against Eternal Blue, Petya can still spread on their systems as it also uses classic SMB network spreading techniques. Once on the computer, Petya takes over and demands 300 dollars, to be paid over in Bitcoin.
If victims don’t have a recent back-up of the files they must either pay the ransom or face losing all their files. ‘Petya’ checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won’t run the encryption side of the software. But this “vaccine” doesn’t actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network. The fact that Petya is using not one but multiple Windows vulnerabilities to spread itself is what makes it more dangerous than WannaCry.
If you have been affected, the ransomware will infect computers and then wait for approximately an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, as flagged by @HackerFantastic on Twitter.
If the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway. Disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup.
Protect yourself against “Petya” and any further attacks
Most major antivirus companies claim that their software has been updated to actively detect and protect against ‘Petya’ infections: Symantec products using definitions version 20170627.009 should, for instance, and Kaspersky also claims its security software is now capable of spotting the malware.
You can protect yourself by keeping Windows up to date; by installing March’s critical patch defending against the EternalBlue vulnerability stops one major avenue of infection, and will also protect against future attacks with different payloads.
Organizations need to realise they don’t possess the knowledge to protect their own networks. Act now by having your systems and network analysed by proven IT professionals and invest in the necessary security measures.
Ozone is a distributor of superlative security solutions that can protect your organisation from being effected. For Assistance please contact us on info@ozone.co.za or 086 010 4155