Thursday 29 June 2017

Petya ransomware

The Petya ransomware attack that crippled computers in 64 countries worldwide was spread by accounting software, according to Microsoft, highlighting the dangers posed by compromised third-party apps.
The outbreak started in Ukraine, where more than 12,500 machines were infected, and there is now evidence this new Petya malware variant was initially spread via an updater for the tax accounting software MEDoc.

 A large number of organizations were infected, many in Ukraine, including Danish transport company Maersk, Russian oil firm Rosneft, the Kiev metro system, National Bank of Ukraine, the law firm DLA Piper, US pharmaceutical company Merck and many others.


How to protect yourself

Once the ransomware infects a machine, it then attempts to spread itself to other PCs on the network. To propagate itself, it will try to steal credentials to gain local admin privileges, attempt to use file-shares to transfer the malicious file between PCs, and then remotely execute the file. The ransomware encrypts entire hard drives and demands a Bitcoin payment of $300 to release them.
The malware can also spread itself using the EternalBlue exploit for an SMB vulnerability, which was used by WannaCry to spread between machines. The vulnerability was patched by Microsoft in March this year.
Microsoft recommends applying this security update, but for those who aren't able to, it suggests firms "disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547" and "consider adding a rule on your router or firewall to block incoming SMB traffic on port 445".
Another workaround for blocking infection by Petya is to create an extensionless, read-only file called perfc in the C:\Windows folder, using the steps outlined here.
Microsoft also provides a detailed a breakdown of commands and network activity that indicate a Petya infection.

Other reports say that the provider of the email address shown to receive the ransom closed it down, deactivated it so there's no way to pay or ask decryption of your data from the attacker.

While steps were taken to be able to block the attack in your pc, so far there's no 'kill switch' to stop the virus from spreading.

Ofcourse the known story still comes up: "keep you windows machine" updated with security updates and also have a good antivirus solution to protect yourself like the one we offer.

Source: Techrepublic