A new strain of Petya ransomware has struck Europe and is spreading around the world, affecting many organizations. Symantec has confirmed that the Petya ransomware, like WannaCry, is using an EternalBlue exploit to spread, and has published an update on its blog, including the following key details:
- A new strain of the Petya ransomware started propagating on June 27, 2017, infecting many organizations. Similar to WannaCry, Petya uses the Eternal Blue exploit to propagate itself.
- Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).
- In this latest attack, the following ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files:
Symantec commentary on Petya Ransomware Attack
Nick Savvides, Security Advocate, Symantec Asia Pacific and Japan
At Symantec, we see that cyber attackers are compromising businesses and individuals in Asia with continued success. While the threat may have started in Eastern Europe, it has quickly spread across the world within a short time.
Manufacturing organisations, which are highly concentrated in Asia, are particularly at risk as most do not apply updates and patches to their industrial computers as swiftly as corporate entities. This makes them especially vulnerable to rapid infections and complete shutdowns.
How does Petya compare to WannaCry?
Petya shares two similar aspects with WannaCry – firstly, it is a ransomware attack that locks up files and secondly, it is using the ETERNALBLUE (MS17-010) Windows vulnerability as an infection vector to spread inside networks.
More importantly, Petya differs from WannaCry whereby this malware goes beyond just locking up files to the whole system – rendering the victims’ computers completely inoperable. Furthermore, Petya includes other infection methods. Aside from emails, it can also spread inside networks via other mechanisms like PSExec, which allows users to execute processes on other systems without having to manually install a client software, and Windows Management Instrumentation (WMI).
Here are some Symantec tips to protect consumers and organisations:
- Keep Your Software Up-to-Date. The bad guys know about weaknesses in the software on your PC before you do. And they try to use them to get on your machine. It’s called exploiting a vulnerability. This attack searches for and exploits a vulnerability in Microsoft Windows operating systems. Computers that do not have the latest Windows security updates applied are at risk of infection.
- Use Security Software – New ransomware variants are popping up all the time. Unless you know a well-trained professional who can keep an eye on your devices and watch your online activity 24/7, consumers should employ a security solution to do the monitoring and protecting for you. Norton Security helps protect against Petya via a variety of built-in protections.
- Don’t Click on Attachments in Email – Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments and be especially wary of a Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Back-up Your Files – Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. No one ever thinks anything bad will happen to them, until it does. Everyone knows they need to back up their files. Now you have one more very good reason to do it.
- Don’t Pay the Ransom – People assume they’ll automatically get their files back if they pay the ransom. You likely will get you files back if you pay. But you may not. Since the attackers already know you’ll pay the ransom, they could target you for future attacks.