What is Petya?
The latest ransomware cyber attack ‘Petya/Petrwrap/ExPetr’ or ‘GoldenEye’ has quickly targeted computer systems all over the globe crippling large firms across Europe, Israel, Russia and the US, reportedly starting from Ukraine. It makes use of Eternal Blue exploit as a means to multiply itself wrecking the system and leaving it inaccessible until a payment of $300 Bitcoins has been made.
Kaspersky Lab’s global research director Costin Raiu tweeted on June 28th to say the majority of infections seen by his firm had taken place in Ukraine, the Russian Federation, and Poland.
How does Petya work and which devices does it affect?
Ransomware is a malicious software that wrecks the victim’s system and threatens to publish the data or delete it until a ransom in digital currency (usually in Bitcoins) is payed. WannaCry that attacked systems in May was the last major ransomware attack.
Symantec analysts have confirmed, Petya is similar to WannaCry, but potentially more dangerous. The compromised machines become fully encrypted, leaving all information completely inaccessible.
This attack is targeting Microsoft Windows Systems. Unlike a regular ransomware it doesn’t just encrypt your file, it even overwrites and encrypts the MBR (Master Boot Record) to execute a payload that encrypts the NTFS file table.
Once inside a company’s network, the virus will find other vulnerable machines and will spread to them as well. Organizations around the globe have been crippled by the actions of these criminals. As is often the case, this malware seems to enter networks when employees click on infected email attachments, then it spreads quickly on the corporate network to any other vulnerable computer that it can find. More than ever, awareness and user education is critically important to our overall security capabilities.
As of June 29th, Costin Raiu, of Kaspersky Lab tweeted to say that Petya is more a wiper than a ransomware. Wipers are said to be the rarest kind of malware and are highly destructive in nature.
ExPetr/Petya/NotPetya is a wiper, not ransomware – our analysis of the fake install ID -> https://t.co/u5Hxumo9Ug
— Costin Raiu (@craiu) June 29, 2017
How wide is the damage?
Petya has wrecked causing tremendous disruption across large firms some of them being, Britain’s advertising firm WPP, Russian banks, steel and oil firms Evraz and Rosneft and French construction materials company Saint-Gobain. The food company Mondelez, legal firm DLA Piper, Danish shipping giant A.P. Moller-Maersk and Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh, German postal and logistics company Deustche Post’s Ukraine division also said their systems had been hit by the malware.
What to do to be protected?
One of the foremost things to do if not yet done is to immediately install the MS17-010 patch from Microsoft.
A way to vaccinate your system against the ransomware has been found by Amit Serper, researcher at Cybereason.
I found a way to stop the malware, All we need to know is the original name of the file – Come on people! https://t.co/4e17ST5xHL
— Amit Serper (@0xAmit) June 27, 2017
To vaccinate a machine against this ransomware, create a file called perfc in the C:\Windows folder and mark it read-only. The following batch file courtesy of BleepingComputer will help you, click on the link and follow the instructions in the post. You can download the batch file from https://download.bleepingcomputer.com/bats/nopetyavac.bat
Keynote advice; Always be vigilant as to what mail and attachments you are opening and clicking on PLEASE:
- Don’t ever open emails from senders you do not know.
- Don’t ever click on email attachments unless you know who the sender is and were expecting them to send you that attachment.
- Exercise caution and discretion when clicking on links sent to you by email.
- If there is something suspicious occurring on your device and you need assistance reach out to your IT help desk immediately.
- Don’t open any non-urgent attachments, even friendly sources could be infected.
- Update your anti-virus and run a scan on your system.
Some other suggestions coming from wordfence.com, recommend blocking network access to port 445 on your Windows Workstation. And keep an eye on Microsoft Security Response Center should they release a formal guidance.
If you suspect that your computer has been infected, or if you see a screen that remotely resembles the snippet at the start of the post, immediately turn your computer off, disconnect it from your corporate network, and contact your IT command center. Under no circumstances should you turn the computer on again as it will propagate the virus and eliminate any possibility of recovering your data.