Petya is a ransomware in the form of worm that hit computers worldwide locking down computer systems and demanding $300 in bitcoins. Ukraine government’s computers were brought down during the initial spread of this ransomware through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use called m.e.doc. Read the full technical details on Microsoft’s TechNet website here on how the malware was distributed and the infection mechanism that encrypts the files.
What do we know now after 48 hours of this attack?
“Petya is a worm, meaning it has the ability to self-propagate. It does this by building a list of target computers and using two methods to spread to those computers.” Says Symentec.
The two methods refered here are IP address and credential gathering. Basically creates a list of IP addresses using various techniques depending on the environment and then gathers credentials required for admin access.
What can you do to protect yourself?
- Make sure your Windows PCs are updated to the latest security patch.
- Follow these important tips which we used for preventing the attack from the WannaCry Ransomware. Most importantly, do not download attachments from unknown sources and do not click on links in emails. Make sure you read 5 Signs That You May Have Received A Phishing Email.
- Some temporary prevention techniques have been identified which includes tricking the malware by creating a file with a specific name or stopping the encryption just in time.
- create “readonly” C:\Windows\perfc.dat(or Windows\perfc) . If you are interested, follow the steps here on BleepingComputer Website
- If your computer happens to reboot and the following screen shows up, then unplug the power. This is the actual step which encrypts the files. There are then methods available to retrieve the data by disconnecting the Hard drive and accessing it like a USB drive to restore the files. These options is not a kill switch but a temporary vaccine.
What you should do if you get affected?
Do not pay the Ransom. The email account associated with the hacker which notified the status of a successful bitcoin payment has been closed down. This means, there is no way for the hacker to know if you paid a ransom. More over the intent of this attack is under speculation by most security experts calling it deadly and possibly not a ransomware but a data wiper.
LOOK, READ, STOP & THINK BEFORE YOU CLICK