Petya ransomware derived its name from the movie, Golden Eye, a 1995 James Bond flick. It was first discovered in 2016, as member of encrypting ransomware. Its primary targets are Microsoft Windows-based systems. It prevents Windows from booting by corrupting the master boot record and encrypts a victim’s hard drive’s file system through the execution of a payload. After infecting a PC, there is usually a demand from the user to pay the attacker through cryptocurrencies like Bitcoin.

ABOUT RANSOMWARE

Ransomware goes beyond just some malicious software holding a victim to ransom from being able to use a computer unless agreeing to pay a ransom, they are means of psychological torture to their victims, the experience could really be traumatizing. Unlike a kidnap situation where the ransom money could be negotiated downwards, the perpetrators of ransomware rather review the ransom money requested after a given intervals until they eventually destroy the encrypted files, if they do not get what they requested for.

The bitter story of ransomware started about two years ago, with the Wannacry and Petya ransomware outbreak being the major culprits. Others are Locky variant, Dridex banking Trojan and the Jaff variant (which hit about 5 million emails per hour). So far the Wannacry strain has been the biggest hit, but Petya follows very closely, striking its victims with more lethal tactics and deadly force. Some of the terrifying trends about ransomware in recent times are:

  • New variants and newer tactics constantly emerge.

  • Ransomware is now one the biggest cyber-security challenges.

  • The Petya Ransomware strain has the capability to wipe out data irrecoverably, if not contained, as an upgrade from the Wannacry strain.

  • It is estimated that ransomware hit one company in every 40 seconds.

  • There is an attack on an individual in every 20 seconds.

  • Creating a ransomware hasn’t been easier than in this period.

  • No individual or industry is immune from ransomware attack and this is why you have to get professional support.

While there are different kinds of ransomware, highlighted below are facts about Petya ransomware and all you need to know about it and how you can keep you and your business safe from attacks.

PETYA RANSOMWARE

Even though the first wave of Petya cyberattack was noticed in 2016, the level of infections since then has reached unprecedented amounts. One of the first cases reported was from Ukraine, where many private and public utility companies were attacked. It later the same day spread to the United States and some countries in Europe like Italy, France, Germany, Poland and the United Kingdom. The attack in 2017 was dubbed NotPetya, as it displayed superior sophistication unlike the earlier versions that were discovered in 2016.

The major difference between the Petya malware and other Ransomware is that it doesn’t only encrypt your files, but also encrypts and overwrites the Master Boot Record of your computer system.

Facts about the Petya ransomware cyber-attack

  • Over 300,000 computers were affected, more than the 230,000 affected by Wannacry.

  • The whole network can be destroyed from just a single entry.

  • The attacked affected mostly systems that were not running the latest security patches and fixes released by Microsoft earlier in 2017, that was intended to stop the Ransomware from spreading.

  • Decryption was impossible, owing to the fact that the email provider had blocked the email address the malware creators provided. This simply meant even paying the ransom money was merely a waste of money.

  • The most effective ways to stay protected from the malware is through upgrading your security setup, ensuring proper back up for your files and having ransomware detection available. We will explain that to you next, but let’s first consider how the Petya variant operates.

Operation Mode

The malware arrives as a DLL (Dynamic-link Libraries), with its malicious actions found in the exported function. When it is run, it first enables three tokens privileges which are: SeShutdownPrivilege, SeDebugPrivilege and SeTcbPrivilege.

  • SeTcbPrivilege allows a process to authenticate a user and then gain control of the same resources as a user. When a service requires this privilege, it configures the service to use the Local System account which already has the privilege rather than creating a separate account and assign the privilege to it.

  • SeDebugPrivilege allows the user to attach a debugger (a computer program that assists in the detection and correction of errors in computer programs.) to any process. It provides access to sensitive and critical operating system components. By default, it is assigned to administrators.

  • SeShutdownPrivilege allows the user to shut down the PC. The privilege is assigned by default to administrators, backup operators and Power Users (users that use advanced features of computer hardware, operating systems, programs or web sites).

After then, it checks the running processes by performing a hash on the process name. Hash is used in security systems to ensure that transmitted messages have not been tampered with. It is an encryption and decryption method. After then, it checks if the resulting value is either of the following and then set some flags:

  • 0x2e214b44 = avp.exe

  • 0x6403527e = ccSvcHst.exe

  • 0x651b3005 = NS.exe

After checking the running processes, it then gets its own filename. It is important because it will use it later as a kill switch. It then checks its command line. And it checks if its flag for the adjusted token privileges is 2 or not, in order to enable the SeDebugPrivilege. Then it shuts down the system. If it is not 2, it performs two other function calls. The first one is Msub_CreateWindowsFile  and checks if a file called pszPath exists (through PathFileExistsW). If it exists, it then branches into the code that calls ExitProcess, thereby terminating the malware. This function is called a kill switch. A kill switch is a security measure used to shut off a device in an emergency

Basic Precautions to take against Petya Malware Attack

It is important to have some basic understanding about what to do when a Petya attack occurs or have a professional handle the situation. If you ever experience such problems, one of the best decisions you can ever make is by contacting Xieles Support. At Xieles Support, we have a track record of patching network vulnerabilities and tackling malware and the problems they cause. If you ever experience a Petya attack, contact Xieles Support today.

It is important you understand that if you experience a Petya attack, you can take some steps, although these steps are not ultimate solutions to the problem of vulnerability to ransomware attack; they are remedial actions for you to take.

  • Take heed when opening email attachments or clicking on hyperlinks you are unsure of, ensure you know the source of the links and that you’re safe before clicking on it.

  • Ensure your systems are patched and that your antivirus software is updated. Unregistered antivirus programs are not safe to use.

  • To limit the lateral movements within a network, disallow UDP ports 135, 137 and 138. Also block SMB ports 139 and 445 from external hosts; this would reduce the attack surface. Note that this might require technical support.

  • Disabling PsExec and WMIC administrative tools can limit the spread of the Petya malware throughout the network.

  • Ensure you create a backup for your critical data. This should be done on a frequent basis.

  • Isolate and segment your critical data from the rest of the network. Ensure no single account execute commands on all systems within the network.

FIVE WAYS WE CAN PROTECT YOU

As an IT solutions firm with technical capabilities in computer systems security, Xieles Support will help you resolve any malware problems, if you experience any form of malware attack, contact us and we’ll help you solve the problems.

Below are key areas we can help you against Petya malware  and other ransomware:

Mitigation Measure

As earlier stated, antivirus software might be a first aid precaution; but they may fail to detect encrypting ransomware payload. This is especially when a new version of the ransomware (like the Petya variant) has been unleashed and your antivirus program hasn’t been upgraded to recognize the level of threat it poses yet. In this case, the encryption may be already underway or even completed before the antivirus system can take actions.

We advise all our clients and also help them create and update necessary backup’s offline to ensure the malware cannot reach such files and recovery can be easy to access. We also ensure we help our clients update their security software to the current version that is capable of holding off the ransomware from propagating itself on the network. As you focus on your primary duty at work, we also focus on your computer security needs and ensure we notify you in time for the latest updates available for your security software.

Infection Control

Aside prevention measures against malwares, we help our clients during a malware attack, as we quickly help you contain it from spilling over to the other systems in your network. This control covers protection at initial stages and regular monitoring of your computer systems, for early detection of any red flags. Early detection will ensure immediate necessary actions are taken before any real damage is done. Under infection control, we ensure prompt investigation of any suspected breach area and quickly quarantine such system from others in the network, when it has been confirmed to be compromised.

Recovery from Disaster

In a situation where Petya cyber-attack could not be prevented, the next headache will be on how to recover critical data and files. Our disaster recovery service at Xieles Support entails that we get your vital technology infrastructure that supports you critical business activities. This service ensures your business continues to run while the disaster is managed.

Often times, it is the aim of malware creators that you not only lose your critical data files, but also that your business cripples and eventually grants to a halt. For the disaster recovery to be effective there should have been a disaster recovery plan put in place beforehand.

The amount invested in such control measures is nothing compared to what your business stands to lose if all your critical data were to be wiped out irrecoverably. Available records show that about 43% of businesses that lose critical data never operate again, while about 29% eventually fold up within two years of resuming business.

Contingency Measures

A contingency basically refers to the plan put in place to manage a possible disaster with no definitive certainty about when it will occur. The Wannacry and the Petya ransomware both took everyone by surprise when they occurred. There were hardly warning signs and even though experts might have considered the possibility of them happening, no one could have stated exactly when it was going to happen.

At Xieles Support, as professional in systems and network security with a wealth of experience, we ensure our clients are well protected against these attacks that not only cause damage but mops up resources and wastes time. We are prepared if any such emergency occurs and we know the right thing to do during a malware breakout. One contingency measure we employ is the enabling of an incident response platform. This platform is designed to enable your team respond quickly to malware attacks like Petya. With a set of sequential actions specific to ransomware attacks, your team will be trained on how to detect and analyze such attack faster. They will also be provided with a set of containment actions such as blocking of the communication over port, isolation of the infected system, disengaging shared drives, and other such actions.

CONCLUSION

Just as it is in every wave of crime, even outside the IT world, there are security measures that could guarantee us some degree of safety, if we adhered strictly to them. There is no assurance that ransomware attacks will cease any time soon; in fact, it could just get more sophisticated and catastrophic. The safest way to ensure your computer systems and business is safe is to ensure you are always prepared to counter the malware before they attack and even when they do get in, you can conveniently armed to defeat them without losing your money or valuable information.

Xieles Support is your reliable partner in IT security and other system solutions. We won’t want you to merely take our word for it, we will rather you give us the chance to prove our worth. Get in touch to get help against malware attacks, contact Xieles Support today!