RSM India

Petya/Petwrap Ransomware Attack - Newsflash

Newsflash: ‘Petya/Petwrap’ Ransomware Attack

We are pleased to release our newsflash on the ongoing ransomware attack and how it can be stopped. In the newsflash we would like to mention certain steps to prevent such attacks in your organization. The malicious software behind the major cyber attack is known as ‘Petya/Petwrap’ ransomware.

Following are the synopsis of what you need to know about ‘Petya/Petwrap’, the malicious software behind the ongoing hacking attack

Which Systems are Affected?

The malicious software targets Microsoft’s Windows Operating Systems

How it works?

The Petya ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry”

What should you do if you are affected by the ransomware?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine.

If the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway. Disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup. Back up your files regularly and keep your anti-virus software up to date.

Additional technical recommendation for prevention:

Remediation in all cases is to prevent reboot after bluescreen, thereby preventing stage 2 encryption. Take a disk image to retain information, then wipe and reboot. The following Microsoft software are exposed to SMB vulnerability attacks, as well as other variants and tools that employ the same vulnerability:

  • Microsoft Windows Vista SP2

  • Microsoft Windows Server 2008 SP2 and R2 SP1

  • Microsoft Windows 7

  • Microsoft Windows 8.1

  • Microsoft Windows RT 8.1

  • Microsoft Windows Server 2012 și R2

  • Microsoft Windows 10

  • Microsoft Windows Server 2016

  • Microsoft Windows XP

  • Microsoft Windows Server 2003

MS17-010 is the Microsoft security bulletin number the SMB Server patches that need to be applied. They include:

  • KB4012598

  • KB4012215

  • KB4012212

Petya leverages CVE-2017-0199 and the following needs to be applied.

  • KB4015546

  • KB4015549

If patching is not possible at this time, tighten SMB security and close port 445. Implement Endpoint Controls to Protect the Windows AppData Folder. Many malware variants (including CryptoLocker) use the AppData folder to store and call executable files and DLLs. Preventing DLL and executable access from being copied to or accessed from this folder contains many common ransomware variants.

User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment – an aware user is more likely to identify and rebuff an attack attempt. Furthermore, ensure that users are trained on how to report phishing emails to the internal information security department.

For any queries or assistance, you may also get in touch with us through anup.nair@rsmindia.in

How can we help you?

Contact us by phone +91 22 6108 5555 or submit your questions, comments, or proposal requests.

Email us