After WannaCry, the ransomware that brings down many systems around the world last month, a similar cyber threat named PETYA is now going viral. Just like WannaCry, this ransomware locks up the system and force the victims to pay with Bitcoins worth $300 if they want to obtain the key that can be used to unlock the encryption and get all their data back.
PETYA attack has been reported to emerge in many European countries and brought down system in many companies, namely:
- Rosneft, Russia’s biggest oil company, has got its servers infected by the ransomware
- P. Moller-Maersk, Denmark’s largest multinational logistic company, has got IT system outage in its operational office across the world.
- WPP, British’s largest ad agency, has got some of its agencies’ computer system attacked
- Merck & Co also reported that their network was compromised
- Saint Gobain, French construction materials company, had to isolate its computer systems to protect data
- Several Ukrainian banks has its operation disrupted due to the cyber attack
With such impact, we can conclude that this is a massive global cyber attack and even large companies with advanced IT system can be the victim. It is important to stay alerted and be aware of this rapid spreading campaign.
How PETYA works
PETYA, also known as GoldenEye, reported starting the attack on last Tuesday, 27th June 2017. It is confirmed that PETYA is more vicious than WannaCry. A WannaCry infected computer “only” has their files and folders encrypted. On the other hand, PETYA infected computer will be forced to reboot, then has its Master File Tree (MFT) encrypted and the Master Boot Record (MBR) replaced with a custom boot loader that displays the ransom message, preventing system from booting up. In other words, PETYA is effectively locking up the entire disk and the infected computer has it whole system inaccessible.
This ransomware spreads to the other computers in the network by exploiting the vulnerability in Microsoft Office that described in CVE-2017-0199. It also uses the vulnerability in SMBv1 that described in Microsoft security bulletin MS17-010 just like the previous WannaCry incident.
What can we do?
There still no way to recover the locked system up until this article was released, however, there are few ways to stop PETYA from affecting your business:
- It is highly recommended, if possible, to temporarily block port 445 on your firewall and shutdown SMBv1 service on Windows machine. This can be done by accessing Control Panel > Programs and Features > Click “Turn Windows Features on or off” on the left side of the window > Find “SMB 1.0/CIFS File sharing support” and uncheck
- If possible, it is also recommended to turn off macro service on Microsoft Office. Go to Trust Center Settings in your Microsoft Office document file menu > click Macro Settings > select Disable all macros without notification.
- Immediately install the MS17-010 patch from Microsoft that resolves the SMB vulnerability.
- If you have no time to do so, you can simply disconnect your unpatched computers or servers (especially those with file sharing service turned on) from LAN or wifi until all the above mitigation steps have been performed.
- While the computer or server is offline, it is also highly recommended to backup all important data using external storage.
- Update your anti-virus definition and scan the whole system. Most enterprise anti-virus vendors have released an emergency update to detect the PETYA ransomware.
- If you’re running virtual environment, always ensure that you have the backup of all your Virtual Machines. Iperius Backup can be used to backup your VMware or Hyper-V virtual machines without disrupting the operation, and it also has automatic scheduled backup feature.
- There is a known way that can be used to make your system immune to PETYA ransomware and its variant. It is reported on Forbes that PETYA can be stopped by creating a read-only file named perfc inside Windows directory folder (usually in C:\Windows). According to the report, PETYA will first search for a file inside that folder before running, if it found then it will think that the computer has been encrypted and therefore it will not perform its encryption task.