We are currently tracking a new ransomware attack that resembles the ‘Petya’ family affecting computer machines globally.
The ‘Petya’ ransomware follows in WannaCry’s footsteps, which held over tens of thousands of global organisations ransom just in May 2017. Deemed “more dangerous and intrusive”, ‘Petya’ has spread from Russia and Ukraine to Europe and the US at the point this article was written.
Ransomware continues to be a one of the most prevalent threats today, to any organisation with both valuable data and legacy systems hidden unpatched in the cracks and corners of their networks.
Following this latest attack, infected machines displaying the following ransom note demanding US$300 worth of bitcoins to decrypt and recover user’s files.
Be proactive about active protection from ‘Petya’
We strongly recommend that you take pre-emptive and proactive stance towards protecting your organisation from ransomware, so you are prepared for the next wave of attacks.
Active protection capability is available in many Singtel security services including:
- Singtel Broadband Protect
- Singtel Business Protect
- Singtel Managed Back-up/Disaster Recovery Service
- Singtel Managed Detection & Response for Endpoints
- Singtel Managed Threat Monitoring Services
- Trustwave Vulnerability Scanner (which will detect if a system is missing the MS17-010 patch)
- Trustwave Unified Threat Management (which will block MS17-010 exploitation attempts)
In addition, we recommend the following best practices:
1. Educate users to not click on suspicious links and attachments in emails
2. Ensure systems are kept up to date with security patches
3. Ensure anti-malware software is kept updated
4. Perform routine backup of critical data and store them offline
5. Test proof cyber response plan to prepare, respond and follow up on any cyber attack
Finally, if you find yourself or your organisation infected, you should remediate the situation using Incident Response services.
As a trusted global Managed Security Services Provider, we will continue to analyse and post any new developments to the Trustwave SpiderLabs blog as they become available.
Contact us here if you want to speak to a Singtel security advisor.
More about the ‘Petya’ ransomware
The ‘Petya’ malware which is spreading over the Microsoft Windows Server Message Block (SMB) protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017.
While most ransomware encrypts your important files, like documents, movies, and images, Petya takes an extra step and, after encrypting your files, it encrypts your entire hard drive. By encrypting the system volume, Master File Table and the Master Boot Record, Petya prevents the system from booting normally and hooks it into Petya's own bootloader with the ransom note displayed on the screen. This prevents attempts at file recovery using standard forensic techniques such as booting to a LiveCD or other OS.
The malware also appears to be more focused on spreading on the Local Area Network rather than out to the Internet. Its first actions that the ransomware performs on an infected system is to pull local credentials and then attempt to use those credentials to spread to other locally networked systems. To accomplish this lateral spread, the malware uses the common Windows tools, Windows Management Instrumentation (WMI) and PSExec. This means that damage can be spread wider if a system with network administration credentials are exploited.