For some preventative measures, back up your files regularly and keep your anti-virus software up to date.
A new ransomware is taking the world by storm. This ransomware is a new variant of the Petya ransomware, and is much more sophisticated than its predecessor.
This ransomware has a few improvements on the WannaCry ransomware, mainly that it has new capabilities that allow it to infect even up-to-date Windows systems running the latest security updates and latest software patches.
See also: WannaCrypt Ransomware Attacks: What You Should Do
Petya infects computers and waits for about an hour before rebooting the machine. Once the reboot is complete, it will encrypt the entire hard disk, and all system files, including the Master Boot Record. It then demands a $300 payment in bitcoin.
Once on a machine, Petya collects login credentials stored on a computer to gain access to other systems. It then uses PSExec, a Microsoft remote access tool, which allows the user to remotely access an application. The malware then tries to infect other machines through this tool.
Since Tuesday, June 27, Petya has infected over 12,500 machines in 65 countries. It first struck in Ukraine and has spread across Europe, Asia, and North America.
Follow for more data security articles like this
Petya originally appeared in the Ukraine. Organizations in Ukraine were infected after downloading a malicious update for the accounting and invoice software MeDoc. Multiple security firms have also seen the malware spread through phishing emails with malicious attachments pretending to be resumes or delivery notices.
Like WannaCry, Petya uses an “EternalBlue” software exploit for Windows, an exploit developed by the US National Security Agency that was subsequently stolen and leaked by the Shadow Brokers. Unlike WannaCry, Petya does not rely on computers vulnerable to EternalBlue to spread.
What makes this ransomware dangerous is that it not only uses exploits, but also legitimate tools to spread. This type of method can be very difficult to detect since it uses legitimate credentials to access other systems.
Fortunately, unlike WannaCry, this version of Petya does spread internally, but doesn’t seed itself externally, which slows the rate of new infections.
See also: SecurityMetrics PCI Guide
What’s concerning is that unlike other ransomware, Petya seems to be more damaging to the computers it encrypts. Researchers suspect that financial gain was not its creator’s goal, and widespread damage seems more likely. The malware’s developers didn’t design a robust system to pay the ransom, and the techniques used to encrypt the systems are far more damaging.
Petya was likely engineered to infect and damage a mass number of systems. It could also mean that Petya is simply a distraction while the attackers are working on something else.
Security experts recommend that organizations infected do not pay the ransom, as it is unlikely they will see their files decrypted.
Many anti-virus companies claim now that their software has updates to actively deflect and protect against Petya infections.
One thing to do is to make sure your Windows systems are updated to include the patch for the EternalBlue exploit. Doing so removes at least one avenue the Petya ransomware can use.
If your computer is infected, switch the computer off while its rebooting to prevent the files from being encrypted. You can then try to rescue the files from the machine. If your files are encrypted, disconnect your computer from the internet to prevent the malware from spreading.
For some preventative measures, back up your files regularly and keep your anti-virus software up to date.
Need help with data security? Talk to one of our consultants!
.svg)
