Petya or NotPetya – that is not the question!

Petya Ransomware or Non-Petya Ransomware?

The new (Petya or NotPetya) ransomware attack across the globe is hitting computers and servers across Europe, US, UK, Ukraine, Russia and India. This new wave of ransomware attack has swept the world once again. While the pattern of the attack is same as the earlier WannaCry ransomware attack, the symptoms of this attack are like a type called Petya. It has been in existence since 2016 and this variation does not seem to be an exact match as claimed by Kaspersky Lab. While Symantec and others are reporting the ransomware to be Petya or a version of Petya, the Kaspersky Lab says it is actually a new form of ransomware not seen before, which is why it is calling it “NotPetya.”

Remember that the “WannaCry” attack hit more than 2,30,000 computers in over 250 countries last month? If you missed reading about it, you can still read it here: http://www.vishalvasu.com/wannacry-ransomware-attack/

Coming back to Petya or NotPetya (whatever!!), it has been reported that the ransomware is spreading quickly by riding on the EternalBlue Exploit which targets Windows SMB file sharing protocol. This time the malware does not encrypt files but it encrypts the Master File Tree (MFT) table and overrides the Master Boot Record (MBR) with a custom boot file – thus making the system unusable. The malware tries one way to infect and if it doesn’t work, it tries the next one. This clearly shows that it has a better and intelligent injection system in comparison to WannaCry. Once infected, the malware this time demands $300 to be paid in Bitcoin.

The attack appears to have been launched through a software update service built into an accounting program called MeDoc. Companies working with the Ukrainian government need to use this product. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities, airports and metro systems. Even the radiation monitoring systems at Chernobyl were also taken offline, forcing employees to use hand-held counters to measure radiation. Another attack vehicle used was a phishing campaign featuring malware infected attachments. Currently, as you read this, it is reported that the email address, which was being used by the hackers, has been suspended by the service provider.

 

How can I protect my network and data from ransomware?

 

Nothing beats having a game plan of going genuine, patching as well as backing up regularly. Here are few tips that I would like to share:

For Small Businesses

  • If you thought that investing in to a legal and genuine operating system was a wasted investment, you are mistaken. Eventually you will end up spending more in terms of backups, re-installations, reconfigurations and lost productivity. If you have been thinking of going genuine, do not think twice. Go ahead and buy that Activation so that you can get the latest Windows Updates and patches.
  • Running Windows XP just because you do not want to upgrade that hardware? In today’s world, faster processing is the key to better productivity. Moreover, Microsoft has stopped supporting Windows XP and that means, no more software updates or patches to block vulnerabilities even if your Windows XP is genuine. Go ahead and upgrade.
  • Don’t have an anti-virus because you never connect that machine to the Internet? What about USB sticks and external drives? Don’t you use them to share data? Do you know that infection can spread from there too? Invest in a good anti-virus as it’s not that costly as you think. Also, make sure that your anti-virus is up-to-date and is set up for regular auto-scans.
  • Back up important data on your computer in case it gets held for ransom. Make it a habit to perform backups on either external hard drives or cloud storage.

For Enterprises

  • Apply the latest Microsoft security patches, especially the MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) patch.
  • Back up key data and store it in some safe and external place.
  • Ensure all outgoing and incoming emails are scanned for malicious attachments.
  • Ensure anti-virus programs are up-to-date and conducting regular as well as real-time scans.
  • Educate employees on identifying scams, malicious links and emails that may contain viruses.
  • Make sure to run “penetration tests” against your network’s security, no less than once a year.

Remember, it’s always better to be safe than sorry. If you have not yet worked on a plan for securing your networks and your data than start today. Need help with consulting or auditing? Feel free to write back to me.

4 thoughts on “Petya or NotPetya – that is not the question!

  1. Yes, This time data damage is in different way. Now days are gone that we practice for MONTHLY Server maintenance for patching OS. It should be weekly for production infra.

    Also you are very right sir, that we can not leave our Network open for attackers just like we are ready to host them. So Prevention is always better than cure.

    Nice article sir.

  2. Yes, very true. The question is not what to call the Ransomware but to think how secure are the organisations of today and what are we doing to protect our data. Well said and I will contact you to learn how I can safeguard my data.

    1. Yep, we need to safeguard not only our data but also our practices. Thank you Rob for your comments and will look forward to hear from you regarding your data protection queries.

Leave a Reply

Your email address will not be published. Required fields are marked *