A new variant of the Petya ransomware has already been seen across the world. Petya, like other variants of ransomware, makes accessing files impossible. However, this particular version is more destructive than its counterparts. Where most ransomware seen over the past several years encrypts data files and demands money for the decryption key, Petya doesn’t bother with that. Instead, it targets the computer’s Master Boot Record (MBR). Without decryption, the machine will no longer boot up, rendering it useless and inaccessible.
According to Security Advisors, Petya utilizes the same Windows Server Message Block 1 (SMB 1) vulnerability recently seen with WannaCry, referenced as EternalBlue. BeyondTrust, along with these advisors, have strongly urged companies to patch this vulnerability via Microsoft’s Critical Security Bulletin, MS17-010, immediately.
How Petya propagates, and what to do
While information regarding Petya is still being researched, the screenshot below shows Petya in the process of encrypting the MBR.
Once complete, a lock screen – along with instructions on purchasing a decryption key – are shown. If you experience this, you should immediately turn off the computer, wipe the drive, reinstall the OS, and restore your files from backup.
Recommendations for mitigating the risks of ransomware like Petya
- Do not allow users to log in with administrator access. Most users only require a handful of applications that require elevated rights to perform their job duties. PowerBroker for Windows can easily create policy that allows these apps to run as expected without giving the user those rights. Petya is seen to require administrative access to install. Without these rights, it cannot infect the system.
- Maintain a regular backup of important or critical data. As advised, if you do become infected, rather than pay the ransom, you should wipe and reinstall the operating system, and restore from a known good backup. Equally important, however, is that this backup location should not be ‘always on’. In other words, it should not be accessible to the ransomware. Maintaining a password management system to access this backup location will also ensure unintended access cannot be granted.
- Use effective Application Control: Controlling which applications are even allowed to execute should be a critical priority in your security model. PowerBroker for Windows includes Application Control as part of its core functionality. Additionally, these policies can be triggered based on the state of the machine, (e.g. If SMB 1 is enabled, do not allow the execution of certain applications).
Jason Silva, Sr. Solutions Engineer, BeyondTrust
Jason Silva brings over 25 years of solutions and management experience to the industry. Currently serving as Senior Solutions Engineer for BeyondTrusts' Universal Privilege Management Platform, he uses this knowledge to help customers realize the value of our solutions throughout the product lifecycle. Earlier in his career, he found success as a software developer in a global consulting company and spent over four years managing IT and Regulatory Compliance in the banking industry.
Specialties: Microsoft Active Directory, Microsoft Group Policy, Pre and Post Sales Training, Sales Engineering, Enterprise Security Tools, Privileged Access Management