i Petya Ransomware Spreading Rapidly Worldwide – All things in moderation

Petya Ransomware Spreading Rapidly Worldwide

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month. The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.

What is ransomware?
Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid. (Wikipedia)

How does it work?
While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.(Wikipedia)

Petya Ransomware
Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya ransomware replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Petya ransomware has already infected — Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, “Kyivenergo” and “Ukrenergo,” in past few hours.

"We were attacked. Two hours ago, we had to turn off all our computers. 
We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," 
Kyivenergo's press service said.

Maersk, an international logistics company, has also confirmed on Twitter that the latest Petya ransomware attacks have shut down its IT systems at multiple locations and business units.

"We can confirm that Maersk IT systems are down across multiple sites and business units. 
We are currently asserting the situation. 
The safety of our employees, our operations and customers' business is our top priority. 
We will update when we have more information," the company said.

How Petya Ransomware Spreading?
Symantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.

EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.

How to Protect Yourself from Ransomware Attacks
– Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured SMBv1 file-sharing protocol on your Windows systems and servers
– So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

"If machine reboots and you see this message, power off immediately! 
This is the encryption process. If you do not power on, files are fine." 
Then "Use a LiveCD or external machine to recover files".

Amit Serper from PT Security, a UK-based cyber security company said: “98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension”. And company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.

  • You should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.
  • To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn’t always connected to your PC.
  • Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.

Reference:
http://thehackernews.com
https://www.theguardian.com
https://en.wikipedia.org

Leave a Reply