Petya Ransomware: What is it & How can it be stopped?
On 27 June 2017, several organizations across the world reported ransomware infecting their systems. The ransomware, which was identified as a new strain of the existing Petya, is spreading rapidly. Against this backdrop, we are providing all the details related to Petya Ransomware and the steps to be taken to stop its spread.
On 27 June 2017, several organizations across the world, especially in the Europe, reported ransomware infecting their systems, modifying their master boot records and encrypting the files. Even in India, operations at one of three terminals at the Jawaharlal Nehru Port, Mumbai were disrupted by the global ransomware attack.
The ransomware, which was identified as a new strain of the existing Petya, is spreading rapidly, affecting organizations, businesses, and end users. This Ukraine-originated, as believed by many, ransom attack turning into an outbreak reminiscent of the one caused by WannaCry that took place in May 2017.
Against this backdrop, Jagran Josh is providing you all the details that one should know about ransomware in general and the Petya in particular. The details are given below.
What is ransomware?
Ransomware is a type of malicious software that infects and restricts access to a computer until a ransom is paid. Although there are other methods of delivery, ransomware is frequently delivered through phishing emails and exploits unpatched vulnerabilities in software.
What is the modus operandi?
Phishing emails are crafted to appear as though they have been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, a computer becomes prone to infections from malware.
Why is it called Petya Ransomware?
The recent malware bears superficial resemblance to the latest versions of Petya, which is a ransomware strain first spotted in 2015 itself. It should be noted that Petya is Russian for "Pete”, which means rock in Greek.
However, as per some researchers, the recent version of Petya is an entirely new version of malware that's just designed to look like the real Petya. The real Petya, for instance, has a sophisticated ransom-collection and file-decrypting mechanism, and the present version doesn't have these features.
How does the Petya spread?
Primarily, Petya is a worm. Hence, it has the ability to self-propagate. As per the experts, Petya this by building a list of target computers and using two methods to spread to those computers. The two methods are – IP address and Credential gathering and Lateral movement.
Method 1 - IP address and Credential gathering: In the first method, the ransomware builds a list of IP addresses to spread to, which includes primarily addresses on the local area network (LAN) but also remote IPs. Due to this reason, large organizations using networks are more prone to this malware than compared to stand-alone computers and individual internet users.
Once the list of target computers has been identified, Petya builds out a list of user names and passwords it can use to spread to those targets. The list of user names and passwords is stored in memory. It uses two methods to gather credentials - Gathers user names and passwords from Windows Credential Manager and Drops and executes a 32bit or 64bit credential dumper.
Method 2 – Lateral Movement: Petya uses two primary methods to spread across networks - Execution across network shares and SMB exploits.
What does the Petya do?
Petya differs from typical ransomware as it not only encrypt files, it also overwrites and encrypts the master boot record (MBR). It should be noted that the MBR Is also called as the master partition table as it includes a table that locates each partition that the hard disk has been formatted into.
The modified MBR allows the Petya to hijack the normal loading process of the infected computer during the next system reboot. Further, the modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. Finally, the malware displays a ransom note to the user. In the latest attack, the attackers demanded $300 in bitcoins be paid to recover files.
What you should do to shield your system from Petya?
To shiled your system from ransomware attacks, perform the following tasks.
•Perform frequent backups of system and important files and verify those backups regularly.
• If ransomware affects your system, you can restore your system to its previous state with any files unaffected by ransomware.
• The safest practice is to store backups on a separate device that cannot be accessed from a network.
• You should exercise caution while clicking directly on links in emails, even if the sender appears to be known.
• Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
• Follow best practices for Server Message Block (SMB) and update to the latest version immediately.
For general best practices on patching and phishing, users must -
•Ensure that your applications and operating system has been patched with the latest updates. Vulnerable applications and operating systems are the target of most attacks.
• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Avoid providing personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Be cautious about sending sensitive information over the Internet before checking a website's security.
• Pay attention to the URL of a website. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups such as the APWG.
•Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
Against the backdrop of growing digitalization as well as interconnectedness of the adminstratative, trade and business and defence infrastructure day-by-day, it is high time, the policy makers across the world should join hands in curtailing the occurrence of ransomware attacks in future.