What is Petya Malware?
Petya is a malicious software or malware that spreads through emails or websites. Once it is installed on the computer, it blocks access to important files through encryption. If victims do not have a backup, they face losing all the data or have to pay to the hackers for decryption.
The recent Petya and WannaCry attacks made headlines around the world for shutting down banks, infrastructure, and companies. But with ransomware costs projected to hit $5 billion this year, those two attacks are likely just the first of many. Petya is also called Petrwrap (Spreading since 27/June/2017) in Ukrain, Russia, Spain, France, UK, India, and Europe.
How does Petya ransomware work?
This ransomware affects Microsoft Windows systems exploiting the EternalBlue vulnerability or through Windows administrative tools. Although Microsoft had released patches for it, not everyone had installed it even after the infamous WannaCry attack.
It encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
Infected Companies and Organizations
- Chernobyl’s radiation monitoring system
- DLA Piper law firm
- Pharma company merck
- A number of banks
- An airport
- The kiev metro
- Danish shipping and energy company Maersk
- British advertiser WPP
- Russian oil industry company Rosnoft
- Rosneft (Russia’s top oil producer)
- P. Moller-Maersk (Danish shipping giant)
- WPP (biggest advertising company)
- Merck & Co.
- Russian Banks
- Ukrainian Banks & Power Grid
- Ukrainian International Airport
- Saint Gobain (French construction materials company)
- Deutsche Post (German postal and logistics company)
- Germany’s Metro System
- Mondelez International
- Evraz (Russian steelmaker)
- Mars Inc (candy manufacturer)
- Beiersdorf AG (Indian unit)
- Reckitt Benckiser (Indian unit)
- Applying security updates specifically Microsoft’s MS17-010.
- Block inbound connections on TCP 445
- Disable all external SMB access(blocking port 137,139 and 445 to/from the internet)
- Disable the use of the SMBv1 network file sharing protocol across the entirety of your IT estate.
- Disable the ability to execute unsigned macros in office documents, using group policy settings(and sign legitimate macros from your own organization)
- Educating users to stop opening suspicious emails,link,attachments,etc
- Ensure you have good backups and must be offline
- Antivirus should be updated
- Rapidly isolate any infected systems from your corporate network to limit the spread to other systems.
- Identify and prevent all systems without the MS17-010 security update from connecting to core corporate networks and segment guest networks from all ability to access core corporate networks.
- Ensure individual user systems and key servers can be restored rapidly from backups and that the frequency of backups aligns to the timeframe of data your organization is prepared to lose in the event of any system being rendered unusable.
- Ensure there are formal procedures in which employees and those responsible for the management of high priority, Incidents are well versed to streamline the organization’s reaction to ransomware events and its ability to restore service to employees and customers.
- Prevent ransomware entering your IT environment through the most common delivery vector, phishing, by enforcing strong controls at your email gateways and network perimeters and developing vigilant employees through robust awareness campaigns.
- Ensure you have a robust vulnerability management program that will help reduce the likelihood of exploitation.
- Ensure two factors authentication is in place for all necessary external access to systems(example: VPN and RDP).
This post was written by Prime Research Team