Petya Ransomware Strikes Hard: Be Master of the Universe (or at Least Be Master of Your Boot Record)
June 28th, 2017
A new variant of the Petya ransomware has already been seen across the world. Petya, like other variants of ransomware, makes accessing files impossible. However, this particular version is more destructive than its counterparts. Where most ransomware seen over the past several years encrypts data files and demands money for the decryption key, Petya doesn’t bother with that. Instead, it targets the computer’s Master Boot Record (MBR). Without decryption, the machine will no longer boot up, rendering it useless and inaccessible.
According to Security Advisors, Petya utilizes the same Windows Server Message Block 1 (SMB 1) vulnerability recently seen with WannaCry, referenced as EternalBlue. BeyondTrust, along with these advisors, have strongly urged companies to patch this vulnerability via Microsoft’s Critical Security Bulletin, MS17-010, immediately.
How Petya propagates, and what to do
While information regarding Petya is still being researched, the screenshot below shows Petya in the process of encrypting the MBR.
Once complete, a lock screen – along with instructions on purchasing a decryption key – are shown. If you experience this, you should immediately turn off the computer, wipe the drive, reinstall the OS, and restore your files from backup.
Recommendations for mitigating the risks of ransomware like Petya
- Do not allow users to log in with administrator access. Most users only require a handful of applications that require elevated rights to perform their job duties. PowerBroker for Windows can easily create policy that allows these apps to run as expected without giving the user those rights. Petya is seen to require administrative access to install. Without these rights, it cannot infect the system.
- Maintain a regular backup of important or critical data. As advised, if you do become infected, rather than pay the ransom, you should wipe and reinstall the operating system, and restore from a known good backup. Equally important, however, is that this backup location should not be ‘always on’. In other words, it should not be accessible to the ransomware. Maintaining a password management system to access this backup location will also ensure unintended access cannot be granted.
- Use effective Application Control: Controlling which applications are even allowed to execute should be a critical priority in your security model. PowerBroker for Windows includes Application Control as part of its core functionality. Additionally, these policies can be triggered based on the state of the machine, (e.g. If SMB 1 is enabled, do not allow the execution of certain applications).
While the burden of securing our assets may rest on your shoulders, there are mitigation steps you can take right now, and BeyondTrust is here to help. And because I know you were waiting for it, after you get this under control, and probably when no one is looking, feel free to yell out, “I-i-i-i Have the Power!” (YouTube video).
For additional tips on preventing ransomware attacks, please refer to the following blogs: