A new and major ransomeware attack has spread throughout the US and Europe.
The ‘Petya’ ransomware has caused serious disruption at large firms with infected computers displaying a message demanding a Bitcoin ransom worth $300.
Here’s some expert advice about the best course of action to take to protect your systems:
Becky Pinkard, Vice President, Service Delivery and Intelligence Operations, Digital Shadows:
Digital Shadows is warning businesses impacted by the latest ransomware attack Petya not to pay the $300 bitcoin fee as Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems. It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so.
Petya first appeared this morning and has been spreading around the world, mainly infecting businesses and government agencies and departments in the Ukraine and Russia, but there have been increasing reports of businesses in other countries also being compromised, with reports filtering in from the US, UK, Germany, Switzerland and Holland, as some examples. The malware itself appears to be a straightforward ransomware program. Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The program then instructs the user to pay the $300 ransom to a static bitcoin address, then email the bitcoin wallet and personal ID to the email address, which is now blocked.
There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilises the #ETERNALBLUE SMBv1 worm functionality. More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up.
Harish Chib, Vice President, Sophos Middle East & Africa:
Sophos is responding to a new variant of the Petya ransomware family that has affected organisations across Europe. Petya was first discovered in 2016 – it is ransomware that encrypts MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving victims unable to boot their computer. This new variant is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected.
Sophos customers with Sophos Endpoint Protection products are protected against this new variant. Sophos Intercept X customers were proactively protected with no data encrypted, from the moment this new ransomware variant appeared.
Here’s what we urge users to do right now:
- Ensure systems have the latest patches, including the one in Microsoft MS17-010 bulletin
- Consider blocking the Microsoft PsExec tool from running on users’ computers. You can block it using a product such as Sophos Endpoint Protection. A version of this tool is used as part of another technique used by the Petya variant to spread automatically
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands
- Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job
- Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorised encryption of files and sectors on your hard disk
Steven Malone, Director of Security Product Management at Mimecast:
The rapid pace of this new Petya ransomware attack points at another worm that can spread from computer to computer by itself. Many commentators think WannaCry came from hackers in Russia, perhaps as an experiment that escaped early. Therefore it’s not too surprising that Ukraine’s critical national infrastructure has been crippled today while other firms in Europe may have been hit in the crossfire.
As with the early stages of the Wannacry outbreak, the bitcoin wallet associated with this ransomware is not seeing high volumes of payments. Six people globally have currently paid the ransom, suggesting this won’t be a financially successful attack.
A cyber resilience strategy that acknowledges that attacks are likely to continue and will sometimes be successful is required. Defence-in-depth security and continuity plans are needed to keep critical services running every time they are attacked.
Ransomware protection advice
This new outbreak once again highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged.
Mimecast advises organisations never to succumb to the pressure to pay the ransom to regain access to their applications and data. There is no guarantee this will unlock files and further motivates and finances attackers to expand their ransomware campaigns.
Email has traditionally been the primary attack route for ransomware. Attackers often send Microsoft Office documents with malicious macros that download and install malware. This includes Word, Excel, PowerPoint and also PDFs. Clever social engineering will trick employees into enabling the macros and delivering the ransomware payload.
Data backups and business continuity
Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks and as this attack highlights, there are many ways for an infection to enter an organisation.
It’s vital you regularly backup critical data and ensure that ransomware cannot spread to backup files. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your backup window is long enough to go back before any infection begins.
Backup and recovery measures only work after an attack, and cost organisations in downtime and IT resources dealing with the attack and aftermath. You must be able to continue to operate during the infection period and recover quickly once the infection has been removed.