Petya Cyberattacks: How to Avoid and Defeat Ransomware
Don’t let your guard down just yet. While the threat of last month’s WannaCry ransomware has just about disappeared, a new threat is already on the rise.
The cyberattack is believed to have hit its first targets in Ukraine. Going after the central bank, main airport as well as the Chernobyl nuclear facility. Since the first attacks, this cyber threat has gone global, infecting organizations in Europe, North America and Australia.
Indications suggest that this new threat is an enhanced version of the early Peyta ransomware, containing elements of GoldenEye and WannaCry ransomware to create something extremely dangerous. This modified version of Petya has a vicious nature in the way that it encrypts whole hard drives, giving it the capability to bring an entire network down.
Petya has striking similarities to WannaCry, from utilizing ExternalBlue to spread from machine to machine, to demanding $300 in bitcoin to retrieve your data. Victims typically choose to pay the relative small sum to get their data back, which is something many security experts disagree with.
This particular exploit was a part of other surveillance tools and exploits, developed by the NSA elite hacking team, that have been leaked by a group known as the Shadow Brokers’ hacking group. While it shares the ability of WannaCry to rapidly spread, it is a more sophisticated threat than the partially finished WannaCry project.
Despite Microsoft issuing a patch, the improved worm capabilities allows Peyta to infect entire networks just by entering one unpatched machine. This ransomware is also thought to have lateral movement techniques. Allowing it to leverage file-shares to transfer malware across networks and Trojan-like capabilities to steal user credentials.
Organizations and big businesses however, are not the only one under threat.
“Consumers are also at risk and should be wary if they are running operating systems that are vulnerable to the exploit, in other words if you have not patched,” Raj Samani, chief scientist & fellow at McAfee, told the Independent.
When asked who is being targeted, managing director of Databarracks, Peter Groucutt simply stated everyone. Followed up with “larger organizations with valuable data sets and a public reputation to protect obviously represent high-value targets, and often attract the most sophisticated attacks as a result.”
So the question is… How do I avoid it? And what do I do if my computer is infected?
How to avoid ransomware like Petya
1. Perform strategic assessments of cyber threats and vulnerabilities to understand how sophisticated hackers might be able to undermine your security system.
2. Rapidly identify, detect, and contain threats when they do occur.
3. Develop business continuity plans for individual user systems and important servers so it is able to be restored rapidly from backups in the event of a breach.
4. Implement formal crisis and incident response planning to streamline the organization’s response to ransomware attacks.
5. Increase cyber hygiene policies and employee education about the most common ransomware delivery vector, phishing emails.
6. Manage and patch vulnerabilities as soon as possible
7. Consider restricting who has local admin rights to prevent execution of exploit code within organizations.
8. Some Windows systems are configured to automatically reboot if it crashes. You can disable this feature in Windows. If you can prevent the MFT from being encrypted, you can still recover your data from your local disk. Click here to learn how to do this.
What to do if you get inflected with ransomware like Petya
Petya typically infects computers and then waits for a period of time before rebooting the machine. You can switch off the computer to prevent the files from being locked down while the machine is rebooting. You can then attempt to rescue the files from your machine.
DO NOT pay the ransom if your system reboots with the ransom note screen. The customer service email address provided on this screen has been disabled. Making it impossible to get the decryption key needed to unlock your files. The best thing you can do at this point is to disconnect your computer from the internet, reformat the hard drive and reinstall your files from a backup. However this requires that you are already preforming regular backups on your machine.