How Petya propagates, and what to doWhile information regarding Petya is still being researched, the screenshot below shows Petya in the process of encrypting the MBR. Once complete, a lock screen – along with instructions on purchasing a decryption key – are shown. If you experience this, you should immediately turn off the computer, wipe the drive, reinstall the OS, and restore your files from backup.
Recommendations for mitigating the risks of ransomware like Petya
- Do not allow users to log in with administrator access. Most users only require a handful of applications that require elevated rights to perform their job duties. PowerBroker for Windows can easily create policy that allows these apps to run as expected without giving the user those rights. Petya is seen to require administrative access to install. Without these rights, it cannot infect the system.
- Maintain a regular backup of important or critical data. As advised, if you do become infected, rather than pay the ransom, you should wipe and reinstall the operating system, and restore from a known good backup. Equally important, however, is that this backup location should not be ‘always on’. In other words, it should not be accessible to the ransomware. Maintaining a password management system to access this backup location will also ensure unintended access cannot be granted.
- Use effective Application Control: Controlling which applications are even allowed to execute should be a critical priority in your security model. PowerBroker for Windows includes Application Control as part of its core functionality. Additionally, these policies can be triggered based on the state of the machine, (e.g. If SMB 1 is enabled, do not allow the execution of certain applications).