The Strongroom

Petya Ransomware Attack

29 June 2017

Information Security

Written by Origin IT

A new variant of well-known Petya ransomware malware started circulating in Eastern and Central Europe this week, quickly spreading to the rest of the world and infecting many organisations.  Similarly to WannaCry malware from a couple of months back, Petya uses the existing Microsoft OS ‘Eternal Blue’ to propagate itself.

What is it?

Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR). In this latest attack, a ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files. This latest variant of Petya has also been dubbed as Non-Petya by Kaspersky Labs researchers, since it is a variant or strain which stems from the original Petya but manifests itself a little differently.

How does it spread and what does it do?

Petya/Non-Petya has some extra powers that security experts say make it deadlier than WannaCry. Whilst EternalBlue has allowed it to spread via a weakness in Windows' Server Message Block (SMB), it has other tools for moving at speed across networks. The infection is elevated in its viciousness its ability to execute malicious code on other computers it can access, from the computer it initially infected. For instance, if the infected PC has administrator access to a network, every computer in that network can become infected. A similar method is used with the Windows Management Instrumentation (WMI) tool. It is able to detect and read administrator names and passwords stored locally on the affected machine and use those administrative powers and credentials to propagate further throughout the network environment.

How is it different?

Petya/Non-Petya doesn’t use a so-called “kill-switch”, which effectively stopped the propagation of WannaCry malware on a larger scale. It also uses the most advanced crypto techniques known to cyber researchers to encrypt files, directories and hard drives. It also encrypts the boot record on affected machines, so the victim won’t be able to start up and log into the operating system before the ransom is paid in full and the master boot record is decrypted.

What should you (or your managed service provider) be doing?

You should take immediate action by:

  • Ensuring that all security patches are installed and up to date

  • Ensuring that all endpoint and AV products are up to date

  • Reviewing administrator access privileges of your admin staff and users in general

  • Ensuring backups of your important data are current

If you’ve partnered with a quality managed service provider, you can expect them to proactively manage your risk. At Origin, within minutes of notification of a ransomware attack, we launch a discovery process to understand what’s protected and what’s not. Because we offer automated patch protection, the majority of our customers will be immune to attack. The minority who haven’t had a patch released are immediately identified and protected.

The team at Origin sprung into action immediately during the WannaCry pandemic to ensure all of our customers were fully protected from the WannaCry ransomware. This includes reviewing all the layers of defence a network or infrastructure have against malware/ransomware. Origin have a holistic approach ensuring all the relevant boxes are ticked when it comes to security.

Make sense of the new world order. Join us on LinkedIn for news and views that will keep you at the leading edge of cyber security.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.