Remember the name: Petya
This vicious ransomware variant is inflicting damage on a global scale.
Ransomware has been with us for some time and its damage is spreading. A recently arrived and extremely dangerous breed is wreaking a new level of havoc around the world. Known as Petya, it attacks Windows-based file-sharing services via email, locks users out of their networks, and demands Bitcoin payment for restoration of data.
Petya was named for a nuclear superweapon in the 1995 James Bond film GoldenEye. This new generation of ransomware is said to be even more diabolically sophisticated than previous strains. For example, a recent variant called NotPetya is designed so that it cannot be reversed by the hackers. Even if victims pay up, the criminals will not – cannot – undo the damage they have caused.
First detected in March 2016, Petya was employed in the June 2017 international cyberattack. It appears to have originated in Russia under the auspices of the Putin government. Petya’s first and most hard-hit victims were organizations throughout Ukraine, and further attacks are striking boldly in Germany, the UK, France, Poland and the US.
In addition to mainstream businesses, Petya’s targets include air, rail and shipping terminals and services; energy companies, power grids and utilities; military installations; mining operations and more.
Beginning with rapid-response efforts on the part of Ukrainian authorities, government agencies in Europe and North America have been working cooperatively to counter the threat.
What can organizations do to guard against a Petya attack?
To some extent, it depends on the type of system involved, but there are well-established actions that can dramatically reduce the risks. These include data protection, solid data backup, effective disaster recovery planning, protecting email, educating workforces about malware, constantly updating and patching system elements, and taking time to understand the complexities of data security.
Staying informed concerning the latest threats requires some extra effort but it is extremely helpful in understanding current risks and making it easier to recognize an attack quickly.
Some key points about Petya
- The ransomware propagates using ExternalBlue, the same exploit of Windows’ Server Message Block (SMB) as the WannaCry ransomware that launched a massive worldwide attack in May 2017.
- Petya spreads with great speed, and can infect thousands of an organization’s computers in a matter of minutes.
- The malware can spread laterally within a system by reusing a logged-in user’s credentials from another, infected system.
- Petya can schedule a reboot for some time after the infection has been injected into the system but before its presence has become known. After the reboot takes place, a false “chkdisk” message appears and data interference begins.
- External, otherwise-innocent events can complicate this kind of ransomware attack. For example, one email provider’s features prevent notification of the malware authors that payment has been made, underlining the view on the part of experts that malware ransoms should not be paid.
- A typical assault tactic is the watering-hole attack, taking its name from the way predators lie in wait for prey near water sources. Hackers go after individual businesses, industries, and organizations in specific geographical areas by tracking intended victims’ online habits. Hackers identify websites and email addresses that the targets use often, then place infections within the trusted sites, and when the victims makes contact, the attack begins.
- With software experts and international law-enforcement agencies working to defeat Petya, new defensive moves are beginning to emerge. Here is one. Creating a read-only file named "C:\Windows\perfc.dat" has proved a useful tool to block variants of the malware. This is time-consuming because it needs to be done on every device, but can be part of an effective defense.
Petya may be new, but effective protections against it are based on proven, well-established methods and tools that are constantly updated to protect against the latest threats. For more information about ways to protect your company from the latest ransomware, please email us at firstname.lastname@example.org or give us a call at 877 834 3684
Please follow our company page on LinkedIn to get the latest information and news on Data Protection and Disaster Recovery.