Petya ransomware derived its name from the movie, Golden Eye, a 1995 James Bond flick. It was first discovered in 2016, as member of encrypting ransomware. Its primary targets are Microsoft Windows-based systems. It prevents Windows from booting by corrupting the master boot record and encrypts a victim’s hard drive’s file system through the execution of a payload. After infecting a PC, there is usually a demand from the user to pay the attacker through cryptocurrencies like Bitcoin.
ABOUT RANSOMWARE
Ransomware goes beyond just some malicious software holding a victim to ransom from being able to use a computer unless agreeing to pay a ransom, they are means of psychological torture to their victims, the experience could really be traumatizing. Unlike a kidnap situation where the ransom money could be negotiated downwards, the perpetrators of ransomware rather review the ransom money requested after a given intervals until they eventually destroy the encrypted files, if they do not get what they requested for.
The bitter story of ransomware started about two years ago, with the Wannacry and Petya ransomware outbreak being the major culprits. Others are Locky variant, Dridex banking Trojan and the Jaff variant (which hit about 5 million emails per hour). So far the Wannacry strain has been the biggest hit, but Petya follows very closely, striking its victims with more lethal tactics and deadly force. Some of the terrifying trends about ransomware in recent times are:
While there are different kinds of ransomware, highlighted below are facts about Petya ransomware and all you need to know about it and how you can keep you and your business safe from attacks.
PETYA RANSOMWARE
Even though the first wave of Petya cyberattack was noticed in 2016, the level of infections since then has reached unprecedented amounts. One of the first cases reported was from Ukraine, where many private and public utility companies were attacked. It later the same day spread to the United States and some countries in Europe like Italy, France, Germany, Poland and the United Kingdom. The attack in 2017 was dubbed NotPetya, as it displayed superior sophistication unlike the earlier versions that were discovered in 2016.
The major difference between the Petya malware and other Ransomware is that it doesn’t only encrypt your files, but also encrypts and overwrites the Master Boot Record of your computer system.
Facts about the Petya ransomware cyber-attack
Operation Mode
The malware arrives as a DLL (Dynamic-link Libraries), with its malicious actions found in the exported function. When it is run, it first enables three tokens privileges which are: SeShutdownPrivilege, SeDebugPrivilege and SeTcbPrivilege.
After then, it checks the running processes by performing a hash on the process name. Hash is used in security systems to ensure that transmitted messages have not been tampered with. It is an encryption and decryption method. After then, it checks if the resulting value is either of the following and then set some flags:
After checking the running processes, it then gets its own filename. It is important because it will use it later as a kill switch. It then checks its command line. And it checks if its flag for the adjusted token privileges is 2 or not, in order to enable the SeDebugPrivilege. Then it shuts down the system. If it is not 2, it performs two other function calls. The first one is Msub_CreateWindowsFile and checks if a file called pszPath exists (through PathFileExistsW). If it exists, it then branches into the code that calls ExitProcess, thereby terminating the malware. This function is called a kill switch. A kill switch is a security measure used to shut off a device in an emergency
Basic Precautions to take against Petya Malware Attack
It is important to have some basic understanding about what to do when a Petya attack occurs or have a professional handle the situation. If you ever experience such problems, one of the best decisions you can ever make is by contacting Xieles Support. At Xieles Support, we have a track record of patching network vulnerabilities and tackling malware and the problems they cause. If you ever experience a Petya attack, contact Xieles Support today.
It is important you understand that if you experience a Petya attack, you can take some steps, although these steps are not ultimate solutions to the problem of vulnerability to ransomware attack; they are remedial actions for you to take.
FIVE WAYS WE CAN PROTECT YOU
As an IT solutions firm with technical capabilities in computer systems security, Xieles Support will help you resolve any malware problems, if you experience any form of malware attack, contact us and we’ll help you solve the problems.
Below are key areas we can help you against Petya malware and other ransomware:
Mitigation Measure
As earlier stated, antivirus software might be a first aid precaution; but they may fail to detect encrypting ransomware payload. This is especially when a new version of the ransomware (like the Petya variant) has been unleashed and your antivirus program hasn’t been upgraded to recognize the level of threat it poses yet. In this case, the encryption may be already underway or even completed before the antivirus system can take actions.
We advise all our clients and also help them create and update necessary backup’s offline to ensure the malware cannot reach such files and recovery can be easy to access. We also ensure we help our clients update their security software to the current version that is capable of holding off the ransomware from propagating itself on the network. As you focus on your primary duty at work, we also focus on your computer security needs and ensure we notify you in time for the latest updates available for your security software.
Infection Control
Aside prevention measures against malwares, we help our clients during a malware attack, as we quickly help you contain it from spilling over to the other systems in your network. This control covers protection at initial stages and regular monitoring of your computer systems, for early detection of any red flags. Early detection will ensure immediate necessary actions are taken before any real damage is done. Under infection control, we ensure prompt investigation of any suspected breach area and quickly quarantine such system from others in the network, when it has been confirmed to be compromised.
Recovery from Disaster
In a situation where Petya cyber-attack could not be prevented, the next headache will be on how to recover critical data and files. Our disaster recovery service at Xieles Support entails that we get your vital technology infrastructure that supports you critical business activities. This service ensures your business continues to run while the disaster is managed.
Often times, it is the aim of malware creators that you not only lose your critical data files, but also that your business cripples and eventually grants to a halt. For the disaster recovery to be effective there should have been a disaster recovery plan put in place beforehand.
The amount invested in such control measures is nothing compared to what your business stands to lose if all your critical data were to be wiped out irrecoverably. Available records show that about 43% of businesses that lose critical data never operate again, while about 29% eventually fold up within two years of resuming business.
Contingency Measures
A contingency basically refers to the plan put in place to manage a possible disaster with no definitive certainty about when it will occur. The Wannacry and the Petya ransomware both took everyone by surprise when they occurred. There were hardly warning signs and even though experts might have considered the possibility of them happening, no one could have stated exactly when it was going to happen.
At Xieles Support, as professional in systems and network security with a wealth of experience, we ensure our clients are well protected against these attacks that not only cause damage but mops up resources and wastes time. We are prepared if any such emergency occurs and we know the right thing to do during a malware breakout. One contingency measure we employ is the enabling of an incident response platform. This platform is designed to enable your team respond quickly to malware attacks like Petya. With a set of sequential actions specific to ransomware attacks, your team will be trained on how to detect and analyze such attack faster. They will also be provided with a set of containment actions such as blocking of the communication over port, isolation of the infected system, disengaging shared drives, and other such actions.
CONCLUSION
Just as it is in every wave of crime, even outside the IT world, there are security measures that could guarantee us some degree of safety, if we adhered strictly to them. There is no assurance that ransomware attacks will cease any time soon; in fact, it could just get more sophisticated and catastrophic. The safest way to ensure your computer systems and business is safe is to ensure you are always prepared to counter the malware before they attack and even when they do get in, you can conveniently armed to defeat them without losing your money or valuable information.
Xieles Support is your reliable partner in IT security and other system solutions. We won’t want you to merely take our word for it, we will rather you give us the chance to prove our worth. Get in touch to get help against malware attacks, contact Xieles Support today!