Petya Ransomware: What is The Petya Ransomware & How Can It Be Stopped?
What is ransomware?
IMAGE CREDIT: NOW THE END BEGINS
Ransomware is a type of malware that blocks access to a computer or its data and demands money to release it.
How does it work?
When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims don’t have a recent back-up of the files they must either pay the ransom or face losing all of their files.
WHAT IS THE PETYA RENSOMWARE?
Malware under the name of Petya has existed since 2016, with Symantec saying the version used in this cyberattack has been modified and can spread via a worm.
Researchers have said that although some of the code is shared from the previous versions of Petya, this version is different. It has also been dubbed NotPetya, as a result. Kaspersky says the malware is different to Petya and has been altered for the current attack. Researchers from the firm added it has been designed to have “plausibly deniable cover of ransomware”.
So far, reports of the Petya ransomware are still emerging and a full picture is not known. This increases the potential of early analysis being wrong, and more detailed inspection of the code will reveal greater details of the developing picture. As a result, WIRED will update this story as more information is confirmed.
Despite the many uncertainties about the ransomware, reports have continued about its spread. UK marketing firm WPP tweeted to say it had been hit “by a suspected cyberattack”. The UK’s National Crime Agency said it is monitoring the situation and working with other companies around the world. The National Cyber Security Centre similarly said it is “monitoring the situation closely”, while the NHS, which was hit hard by WannaCry, said it wasn’t suffering from any “significant” incidents following the spread.
How does the “Petya” ransomware work?
The ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cybersecurity company Proofpoint.
Where did it start?
The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian cyber police. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities and Kiev’s airport and metro system. The radiation monitoring system at Chernobyl was also taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone. A second wave of infections was spawned by a phishing campaign featuring malware-laden attachments.
How to Stop the Petya ransomware?
The advice for protecting yourself against Petya applies to many types of malware – make sure you system and apps are updated. The EternalBlue tools exploit flaws in out-of-date software so maintaining your systems will limit these attacks.
It’s also worth investing in at least two anti-virus programs – one free, and one paid for. This is optional but will give you added protection. Set these programs to run regular scans of your system and emails.
Don’t open emails or attachments without confirming they are safe and you know the sender. This should be common practice.
If you are affected by the ransomware Do this!
The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, as flagged by @HackerFantastic on Twitter.
If the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway. Disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup. Back up your files regularly and keep your anti-virus software up to date.