Big businesses have been attacked by the Petya ransomware lately, which is something worth knowing about just so you can be protected against such attacks when it comes. The malicious software has spread through a number of firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.
The demand when attacked by petya ransomware often times is USD300 which appears on your screen, once you see this figure, just be aware your system has been attacked.
What is ransomware?
Ransomware is a type of malware that blocks access to a computer or its data and demands money to release it.
How it works
When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims don’t have a recent back-up of the files they must either pay the ransom or face losing all of their files.
How does the “Petya” ransomware work?
The ransomware takes over computers and demands a ransom of USD300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cybersecurity company Proofpoint.
However, Microsoft has devised some way out both for home and office or professional users:
Details for home users against petya ransomware
There are two types of ransomware – lockscreen ransomware and encryption ransomware.
Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.
Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.
Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:
•Visiting unsafe, suspicious, or fake websites.
• Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
•Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.
That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:
•Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
•If you’re ever unsure – don’t click it!
•Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
Check our frequently asked questions for more information about ransomware, including troubleshooting tips in case you’re infected, and how you can backup your files to help protect yourself from ransomware.
Details for enterprises and IT professionals against petya ransomware
The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).
The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.
Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.
The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility.
OneDrive for Business can assist in backing up everyday files.
In some cases, third-party tools released by some security firms are able to decrypt files for some specifically ransomware families. See our blog FireEye and Fox-IT tool can help recover Crilock-encrypted files for an example. Tim Rains, Microsoft Director of Security, released the blog Ransomware: Understanding the risk in April 2016 that summarizes the state of ransomware and provides statistics, details, and preventative suggestions to enterprises and IT professionals: Our Threat intelligence report: Ransomware also includes suggestions on prevention and recovery, statistics, and details.
Who’s behind Petya?
It’s not certain who created and released Petya, but a lot of circumstantial evidence points to “patriotic” Russian hackers. Petya tried to render computers completely unusable, doesn’t make it easy to pay the ransom or contact the ransom collectors, and takes sophisticated steps to evade detection by antivirus software. Because of this, some softwareresearchers think the Petya worm’s real aim is not to make money, but to disrupt the Ukrainian economy. Ukraine is fighting Russian-sponsored rebels in its eastern provinces, a few Ukrainian defense officials have been killed by car bombs in the past weeks, and the Petya worm shut down countless Ukrainian businesses on the day before a Ukrainian national holiday.
