From the past week we have seen from various news sources that many organizations across Europe, America and India have been hit by a ransomware attack known as “Petya”. This ransomware is known to have spread within large companies such as Danish shipping & transport firm Maersk, the food company Mondelez which has now led to their systems and data being locked and held for a ransom.
It is reportedly one of the major global ransomware attack in the past two months just after the WannaCry Ransomware made by the hacking group Shadow Brokers, that used a vulnerability in SMB to exploit the systems. Similar to WannaCry, the Petya ransomware is said to spread rapidly via the networks which have Microsoft Windows.
How does the Petya ransomware work?
The Petya ransomware takes the system as a hostage and demands a sum of $300 through Bitcoins. The ransomware known to spread very speedily across the organization once it has infected a computer. It is also seen that this virus has better ways of spreading itself comparitively to the WannaCry Ransomware. It usually Encrypts the MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents the victims from booting their computer.
How do get rid of this ransomware?
Most of the antivirus firms have said that their antiviruses are updated to actively detect, remove and protect against the Petya ransomware. In addition to that users are advised to keep their copy of Windows up to date, at the very least by installing the recent critical patch that defends against the Eternal Blue Vulnerbaility. This would allow the users to not only protect themselves from the WannaCry and Petya, but also to protect against any other future attacks with different payloads. But there’s another line of defence that has been found out by the researchers that the Petya virus checks for a read only file: C:\Windows\perfc.dat and when found, the Petya won’t encrypt the files on the system. But, all said and done, this line of defence won’t prevent the infection of the Virus i.e, it would still spread to other systems on your network.
Why is this called as Petya ransomware?
Though there are so much of speculation around this ransomware, but still the reality is this ransomware is not to be called as Petya, rather it got this name from an old ransomware called Petya because of the significant amount of the code similarity that was found between these two ransomwares. This has led to researchers naming this virus with various different names as per their findings and research, some of the names that are used are NotPetya by Kaspersky Lab, GoldenEye by Bitdefender, etc.
Where did it all start?
It is reportedly to have been started through an accounting program in Ukraine, hence Ukraine being the most affected of this ransomware. The organizations affected by this ransomware include governments, banks, metro systems, airports and many more. Even the employees at the Chernobyl Power Plant had to switch to hand held counters for measurements as the radiation monitoring systems got infected by this ransomware.
How serious are these cybercriminals?
The ransomware outbreak moreover looked as if it was just yet another cybercriminal trying to take advantage of the exploits available on the internet for monetary gains. The payment mechanism in this ransomware is found out to be very amateur. The ransomware includes the ransom note that has a single Bitcoin address for each and every victim, which usually is not done by the attackers or cybercriminals, the serious cybercriminals usually have custom address for each and every victims of their ransomware. Also, the communication channel for the victim to communicate with the cybercriminal is flawed where in the email address used by the attackers seem to have been suspended by the email provider after being discovered that the email address was used as a part of the ransomware attack. Which concludes that even if the victim ends up paying the ransom to the cybercriminals, there is no way he could be able to communicate to the attacker for requesting the decryption key to unlock his/her files.
What do you do if you’re infected by this ransomware?
The thing noticed with this ransomware is that after infecting the system, the ransomware would wait for about half an hour before it reboots the machine. During the rebooting process, the user could switch off the computer so that they would be able to prevent the encryption mechanism onto the system files. And moreover, even paying the ransom would be of no use as the email provided by the cybercriminals is shutdown already, which means that there wouldn’t be anyway to get the decryption key. The better option would be to switch off the machine during the reboot, disconnect the internet and reformat your harddisk and then get back all the files from your previous backup(if at all you had kept a backup of your data).
What are the precautions you can take if you’re not infected yet?
Block source E-mail address “[email protected]”, though it is been shutdown.
Block the following domains:
Also make sure to Block the following IP Addresses:
Update your antivirus and your copy of windows and also apply the following patch:
(You may want to translate it to English as the article is written in Russian)
Make sure to disable the SMBv1
This is one of the key factors to be followed for this particular variant of ransomware. The SMBv1 being the main reason why this ransomware has been able to spread across so many computers and their networks.
If you’ve got infected or have any other resource to share with us pertaining to this ransomware attack, then do feel free to comment below, we would want to hear your views as well.