Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Petya Ransomware Strikes Hard: Be Master of the Universe (or at Least Be Master of Your Boot Record)

June 28, 2017

  • Blog
  • Archive
Petya Ransomware A new variant of the Petya ransomware has already been seen across the world. Petya, like other variants of ransomware, makes accessing files impossible. However, this particular version is more destructive than its counterparts. Where most ransomware seen over the past several years encrypts data files and demands money for the decryption key, Petya doesn’t bother with that. Instead, it targets the computer’s Master Boot Record (MBR). Without decryption, the machine will no longer boot up, rendering it useless and inaccessible. According to Security Advisors, Petya utilizes the same Windows Server Message Block 1 (SMB 1) vulnerability recently seen with WannaCry, referenced as EternalBlue. BeyondTrust, along with these advisors, have strongly urged companies to patch this vulnerability via Microsoft’s Critical Security Bulletin, MS17-010, immediately.

How Petya propagates, and what to do

While information regarding Petya is still being researched, the screenshot below shows Petya in the process of encrypting the MBR. Petya Once complete, a lock screen – along with instructions on purchasing a decryption key – are shown. If you experience this, you should immediately turn off the computer, wipe the drive, reinstall the OS, and restore your files from backup.

Recommendations for mitigating the risks of ransomware like Petya

  1. Do not allow users to log in with administrator access. Most users only require a handful of applications that require elevated rights to perform their job duties. PowerBroker for Windows can easily create policy that allows these apps to run as expected without giving the user those rights. Petya is seen to require administrative access to install. Without these rights, it cannot infect the system.
  2. Maintain a regular backup of important or critical data. As advised, if you do become infected, rather than pay the ransom, you should wipe and reinstall the operating system, and restore from a known good backup. Equally important, however, is that this backup location should not be ‘always on’. In other words, it should not be accessible to the ransomware. Maintaining a password management system to access this backup location will also ensure unintended access cannot be granted.
  3. Use effective Application Control: Controlling which applications are even allowed to execute should be a critical priority in your security model. PowerBroker for Windows includes Application Control as part of its core functionality. Additionally, these policies can be triggered based on the state of the machine, (e.g. If SMB 1 is enabled, do not allow the execution of certain applications).
While the burden of securing our assets may rest on your shoulders, there are mitigation steps you can take right now, and BeyondTrust is here to help. And because I know you were waiting for it, after you get this under control, and probably when no one is looking, feel free to yell out, “I-i-i-i Have the Power!” (YouTube video). For additional tips on preventing ransomware attacks, please refer to the following blogs:
  • Ransomware: 7 Strategies for Mitigating Risk
  • Ransomware: No One Vendor Can Stop It
  • Ransomware: Fine Tuning PowerBroker for Windows Rules

Jason Silva, Sr. Solutions Engineer, BeyondTrust

Jason Silva brings over 25 years of solutions and management experience to the industry. Currently serving as Senior Solutions Engineer for BeyondTrusts' Universal Privilege Management Platform, he uses this knowledge to help customers realize the value of our solutions throughout the product lifecycle. Earlier in his career, he found success as a software developer in a global consulting company and spent over four years managing IT and Regulatory Compliance in the banking industry.

Specialties: Microsoft Active Directory, Microsoft Group Policy, Pre and Post Sales Training, Sales Engineering, Enterprise Security Tools, Privileged Access Management

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Secure Access

Webcasts

Rising CISOs: Ransomware, Cyber Extortion, Cloud Compromise, oh my!

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.