Many organizations around the globe have been crippled by a Ransomware attack Petya. Like WannaCry, Ransomware attack Petya spreads rapidly through networks that use Microsoft Windows, but what is it, why is it happening and how can it be stopped. Learn more about this attack in our comprehensive blog below.
The latest ransomware attack Petya world has seen recently is a variant of the ransomware virus. As of this writing, it appears a new variant of Petya has been released with EternalBlue exploit code built in, which WannaCry utilized to propagate around organizations.
Unlike WannaCry, ransomware attack Petya is a different kind of ransomware. Common delivery methods are via phishing emails, or scams. The payload requires local administrator access.
Infection Vector and Spreading channel of Petya
The ransomware attack Petya takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry”, said Ryan Kalember from cybersecurity company Proofpoint.
Ransomware attack Petya does not encrypt the files themselves; it encrypts the Master File Table, which is an index of where all the files are stored on a hard disk drive. Without the index, it makes it incredibly difficult to identify where the files are on the disk.
The screenshot below shows the encrypted system which is demanding $300 as ransomware to recover or to decrypt the data back.
Recommendations for Ransomware attack Petya
- Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability
- Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know
- Operate a least privileged access model with employees. Restrict who has local administration access
- Consider disabling SMBv1 to prevent spreading of malware
- Ensure automatic updates are turned on and the latest security patches are applied
- Ensure you have the latest updates installed for your anti-virus software, vendors are releasing updates to cover this exploit as samples are being analyzed.
- Remove unwanted software and browser add-ons.
Inspira Enterprise – Leading IT Solutions Provider in India, with its center of excellence in the Networking, Unified Communication, IT Security, Cloud, Smartcity & Healthcare Solutions are the IT Security expert to protect your data from any ransomware attacks.
Suggested Actions for Ransomware attack Petya
- Patch Management
- Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to SMB (Microsoft)
- Update AV signatures on all assets. Personally, review this action on critical assets and target them first.
- Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.
- Anti – APT Solutions
- Ensure signatures are up to date.
- Check for possible internal sources of infection and take actions.
- Use sandboxing on attachments
- Use behavior based detections
- Email Gateway
- Ensure Email Gateway solutions have all relevant updates for detecting possible mails that may bring the Trojan in the environment.
- Educate all email users to review the receiving email address carefully and not to open any executable files and scripts within seemingly trusted files.
- If your email service is not hosted on well-known public gateways like Gmail or Office365, please ensure that the emails are scanned with updated email scanning solution with well-known scanning engines. (via-endpoint based AV solutions or hosting a download server)
- Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.
- Block access to public email service from where malwares are most likely to spread through the proxy.
- Verify last one week logs for the IOCs on Proxy and act on sources of infection
- Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.
- Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.
- Check logs to verify if any of the IOCs have been detected in 1 week logs.
These advisories are for information purpose We recommend you act upon these advisories at your own discretion after conducting risk analysis in your specific environment.
These advisories are time sensitive in nature and may be over ridden is subsequent updates from our side as new information is received on the