Petya Ransomware - What you need to know

Friday 30th June 2017

This week, a new outbreak of ransomware, titled ''Petya'' began to hit the Ukraine and has gone on to attack much of Europe and the U.S.

What is Petya?

Petya (also known in this version as NotPetya) is a combination of ransomware, malware and a banking Trojan that exploits a group Microsoft Windows vulnerabilities collec

tively known as MS17-010. Please see below a short technical update on Petya which shares how it works, how to remediate against it and what to do if affected.

How does it work?

Petya is being compared to WannaCry because it employs the same EternalBlue exploit, but this is only a component of the attack. Petya uses other tools for moving quickly across networks. The Ransomware finds passwords on infected computers to move to other systems, and can extract passwords from memory or from local file systems.
Another Petya technique is to abuse PsExec and the Windows Management Instrumentation Tool to spread the infection by executing malicious code on other computers. If the infected PC has administrator access, every computer can become infected. It can then infect even patched Windows PCs including those running Windows 10.

How can I prevent Petya?
Thus far, there has been no obvious killswitch published for Petya as was found with WannaCry.

Apply Available Patches Now
Both Microsoft and the UK’s National Security Cyber Centre recommend vulnerable systems stay current with Microsoft software updates and apply all of the most recent software updates issued by Microsoft. At the very least we recommend that businesses start by installing March’s critical patch defending against the EternalBlue vulnerability.

Access EternalBlue Patch Info>>

Been Hit? What to do...

If the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway.

If you have been affected, the following should be actioned as soon as possible to limit the damage from this attack:

• Isolate infected systems from the rest of the network immediately to avoid spreading the malware.
• If a suitable backup of the encrypted data is available – restore this to a fully patched & cleansed machine once all of the affected devices have been patched and updated.

Under Attack? We can help!

Contact our security specialists for advice and practical assistance.

Bytes offer a range of security solutions for both network and end-point security that provide additional protections to help stop the spread of the Petya malware and to identify the source infection point. If you have been attacked and need support do not hesitate to contact our technical team.
We offer a range of Managed Services for security, Backup and Disaster Recovery - Read More...

If you would like to discuss this please contact the Bytes Security Team on 01372 418500. We can guide you in the right direction based on your current infrastructure and technologies.

8 Steps to protect yourself from the next attack

1. Make sure software patches are routinely applied
2. If possible, only use supported operating systems/ software OR utilise technology such as virtual patching
3. Make sure you have a robust endpoint technology and consider utilising Next Gen security to overlay
4. Have a strong backup process
5. Train your employees on how to spot phishing emails
6. Keep security assurance practice up to date, such as penetration testing
7. Practice responding to a ransomware attack in a table top exercise to be able to hit the ground running
8. Create a Cyber Incident Response Plan and consider having retainer agreements

Further Reading on the Attack

Sophos
Crowdstrike
Trend Micro
McAfee
Mimecast


Want to keep informed? Sign up to our Newsletter

Get a quote...

Email instead Call us