This ransomware, like other malware of its type, uses encryption to highjack devices promising to reverse the process with the payment of a ransom.
As of the time of writing, global security research efforts are still ongoing into the Petya ransomware, but some facts and security defences can be recommended.
Organisations and individuals can minimise exposure and the spread of Petya using a few tricks:
The application of the Microsoft patch MS17-010 must be a priority. Cybercriminals are on closed-door crime forums claiming to have produced new financially-motivated ransomware that leverages the same EternalBlue vulnerability as Petya and WannaCry.
Victims infected by the first Petya ransomware variant should avoid paying the requested $300 ransom.
The attacker’s email account has been disabled meaning decryption keys can no longer be issued to victims who have paid, and any ransoms sent will be lost.
New variants may be created that have a functional ransom payment channel, but there is no guarantee that criminals will supply purchased decryption keys.
The Federal Government’s Australian Cyber Security Centre is monitoring the Petya outbreak and working with international counterparts. Large organisations affected by Petya should contact the Centre while small organisations are advised to contact the Australian Cybercrime Online Reporting Network.
Petya was initially so-named as it was first thought to be a variant of the original Petya which surfaced last year, but technical analysis reveals this is not the case. Some security experts are now referring to this ransomware as NotPetya.
The ransomware spreads using some of the same tricks as the WannaCry ransomware outbreak of last month, but it is sufficiently different such that it should not be considered WannaCry 2.0.
It spreads through unpatched SMB servers using the so-called EternalBlue exploit and using Eternal Romance for Windows XP machines.
Once it lands on a network machine, it can spread to even (MS17-010) patched machines by stealing the credentials of logged-in users, and using PsExec and WMI.
Infection rates are fast. Early analysis by US-based security consultancy TrustedSec found 5000 machines were infected in 10 minutes.
Petya encrypts the first megabyte of dozens of different files, including Microsoft Powerpoint, Word, and various images. Fake system repair notices may be displayed while the ransomware is encrypting data.
Deleting a scheduled task that Petya creates to reboot machines will only prevent the Master File Table from being encrypted. Once a reboot of an infected machine occurs, a ransomware note is then written over the Master Boot Record and displayed demanding payment.
This article was first published on Telstra Exchange
Darren Pauli Telstra, Security Special Projects Darren Pauli is part of Telstra's security special projects team working in influence and threat research. He joined Telstra in March after more than a decade as a technology journalist specialised in information security. Darren is an avid believer in combating fear and hype in educating the public on information security matters. In his spare time he stands around confused because he never has spare time.See all of Darren's posts
Discussions led by our people about all aspects of our business and the possibilities our networks and technology creates.See all posts in News