Just when the world was recovering from the crisis caused by wannacry – there’s yet another bump in the wire and this time its far more serious than its predecessor. Yes, its’ PETYA.
** By predecessor it’s implied a ransomware although there’s minimal to no relation between these two
First things first – Petya looks like an attempt in all muscle and power to bring down ‘Ukraine’. There’s already mounting evidence that Petya’s focus on Ukraine was deliberate. The initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.
Underline is – The attackers had complete control over where they planted Petya (at least initially) and they chose to plant it in some of the most central institutions in Ukraine.
Now, let’s get to the nuts and bolts of this new kid on the block.
How Petya commences and proceeds?
Petya takes over computers of its victims and demands $300, in Bitcoin. It spreads rapidly across an organization once a computer (first in the organization – known as patient zero) is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cybersecurity company Proofpoint. However, unlike WannaCry, ‘Petya’ tries to spread internally within networks, but not seed itself externally.
How to temporarily and permanently stop the infection?
The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine. This is a temporary and corrective measure. For a permanent and preventive approach, make sure the Windows OS is patched with latest patches from Microsoft and you AV/HIPS or host firewall software are updated to protect against this threat.
What if my system is already infected and encrypted?
If your system reboots with the ransom note, please don’t pay the ransom – the attacker’s email address has been shut down by the email provider so there’s no way to get the decryption key to unlock your files anyway. The best way to move forward is to disconnect your computer from the Internet, reformat the hard drive and restore your files from a backup.
** Backing up your files regularly and keep your anti-virus software up to date are highly recommended.
What software can I use to protect against Petya?
One of the post popular host firewall and AV solutions is Zonealram https://www.zonealarm.com/
If you already have any AV software make sure to update. Windows updates as mentioned earlier will help prevent the infection.
It’s one thing about individual PC’s however, what can I do to protect my Enterprise wide network?
Well, there are a couple of ways to offer preventive defense. One is, to segment your network (normal subnet based or micro segmentation using SDN) so to protect critical systems from other user facing systems. This also offers capability to protect between the layers of network, storage, compute and so on within your private DC or your cloud ecosystem. Checkout Check Point’s vSEC solution https://www.checkpoint.com/products/vsec-virtual-edition/
The other approach is to have your existing or new firewall gateways to offer Advanced Threat Protection (ATP) as well as endpoint agents offer advanced Sandboxing and on the host defense capabilities. Checkout https://www.checkpoint.com/products-solutions/zero-day-protection/ and https://www.checkpoint.com/products-solutions/threat-intelligence/
Hope this article helps you be protected from nasty threats and conduct business as usual.