Ransomware

Petya ransomware outbreak: Here’s what you need to know…

Petya ransomware impacting large organizations in multiple countries – This page is updated live. Check back for latest information on Petya.

Created 27 Jun 2017 – 20:49 GMT (Latest Update)

A new strain of the Petya ransomware started propagating on June 27, 2017, infecting many organizations. Similar to WannaCry, Petya Ransomware uses the Eternal Blue exploit to propagate itself. Petya is taking down corporate networks that run mainly on Microsoft Windows software. It has already hit most Government applications in Ukraine as well as major companies in Europe including advertising agency WPP and law firm DLA Piper.

Update – Consumer users should make sure Windows and Office are up-to-date.

Am I protected from the Petya Ransomware?

Anti-virus, malware endpoint protection products and an up to date firewall should proactively protect customers against attempts to spread Petya using Eternal Blue. You will need to check with your Anti-Virus and firewall vendors to see if behavior detection technology also proactively protecting against Petya infections. Please make contact with your security vendors for assurity.

Will Spambrella protect us?

The payload for Petya is not delivered by email but we remain vigilant and run multiple layers of security in anticipation for such scenarios.

What is Petya?

Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR). Once executed, the system’s master boot record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process. Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems. It is when the machine is rebooted to encrypt the MFT that the real damage is done.

In this latest attack, the following ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files:

petya-ransom-note

How does Petya spread and infect computers?

Petya propagates itself by exploiting the MS17-010 vulnerability, also known as Eternal Blue. Spambrella continues to investigate other possible methods of propagation.

Who is impacted? Is this targeted?

At time of writing, Petya is primarily impacting organizations in Europe. It is not clear if this is a targeted attack, variants of Petya have been used in targeted attacks against organizations in the past.

I have been infected, what should I do?

Petya Ransomware does not encrypt the system if you do not restart your workstation. Check for rundll32.exe & kill the scheduled task then call your Firewall and Endpoint Security vendors for advice.

Recommendations for Businesses

  • Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability
  • Consider disabling SMBv1 to prevent spreading of malware
  • Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  • Ensure you have the latest updates installed for your anti-virus software, vendors are releasing updates to cover this exploit as samples are being analysed.
  • Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
  • Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  • Operate a least privileged access model with employees. Restrict who has local administration access and who can release quarantined emails emails suspected of being phish.

Recommendations for sole users or home users

  • Ensure automatic updates are turned on and the latest security patches are applied.
  • Update your Antivirus software to the latest version and the signatures are up-to-date.
  • Ensure you have enabled User Access Control on the endpoint and consider operating as a standard user and not a user with administrative privileges.
  • As a home user, consider using a cloud backup or online storage provider, such as DropBox, Google Drive and Microsoft OneDrive. As files are changed, they are updated in the cloud.
  • Petya does not encrypt the files themselves, it encrypts the Master File Table, which is an index of where all the files are stored on a hard disk drive. Without the index, it makes it incredibly difficult to identify where the files are on the disk.

As always, contact Spambrella at sales@spambrella.com for free advice in any scenario.