Cyber Security: Defence against the Petya ransomware outbreak
Posted on June 30, 2017
3 min read
A ransomware outbreak dubbed Petya (NotPetya) has recently occurred stemming from Ukraine and infecting computers around the world.
This ransomware, like other malware of its type, uses encryption to highjack devices promising to reverse the process with the payment of a ransom.
As of the time of writing, global security research efforts are still ongoing into the Petya ransomware, but some facts and security defences can be recommended.
Organisations and individuals can minimise exposure and the spread of Petya using a few tricks:
- Immediately applying Microsoft ServerMessage Block (SMB) patches (specifically MS17-010) and make patching a priority.
- Be extra vigilant for possible phishing emails bearing attachments. Petya is not confirmed to have proliferated through malicious emails but it may in the future.
- Disabling of SMBv1, PsExec and Windows Management Instrumentation (WMI) can help limit the spread of Petya across networks.
The application of the Microsoft patch MS17-010 must be a priority. Cybercriminals are on closed-door crime forums claiming to have produced new financially-motivated ransomware that leverages the same EternalBlue vulnerability as Petya and WannaCry.
Victims infected by the first Petya ransomware variant should avoid paying the requested $300 ransom. The attacker’s email account has been disabled meaning decryption keys can no longer be issued to victims who have paid, and any ransoms sent will be lost.
New variants may be created that have a functional ransom payment channel, but there is no guarantee that criminals will supply purchased decryption keys.
The Federal Government’s Australian Cyber Security Centre is monitoring the Petya outbreak and working with international counterparts. Large organisations affected by Petya should contact the Centre while small organisations are advised to contact the Australian Cybercrime Online Reporting Network.
Telstra business customers can contact their account managers with inquiries.
What is Petya?
Petya was initially so-named as it was first thought to be a variant of the original Petya which surfaced last year, but technical analysis reveals this is not the case. Some security experts are now referring to this ransomware as NotPetya.
The ransomware spreads using some of the same tricks as the WannaCry ransomware outbreak of last month, but it is sufficiently different such that it should not be considered WannaCry 2.0.
It spreads through unpatched SMB servers using the so-called EternalBlue exploit and using Eternal Romance for Windows XP machines.
Once it lands on a network machine, it can spread to even (MS17-010) patched machines by stealing the credentials of logged-in users, and using PsExec and WMI.
Infection rates are fast. Early analysis by US-based security consultancy TrustedSec found 5000 machines were infected in 10 minutes.
Petya encrypts the first megabyte of dozens of different files, including Microsoft Powerpoint, Word, and various images. Fake system repair notices may be displayed while the ransomware is encrypting data.
Deleting a scheduled task that Petya creates to reboot machines will only prevent the Master File Table from being encrypted. Once a reboot of an infected machine occurs, a ransomware note is then written over the Master Boot Record and displayed demanding payment.