In the wake of the recent chaos caused by the Wannacry ransomware, companies and individuals alike were given a firsthand look at what happens if their systems are not kept upto date. Yesterday, another ransomware made an appearance. Called the Petya, this ransomware attacked several companies across Europe and the United States. This includes WPP which is an Advertiser, Mondelez – a food company, legal firm DLA Piper and Danish shipping and transport firm Maersk. Most if not all of the systems in these companies have had their data encrypted by the Petya Ransomware and in return are asking for a payment of $300 in bitcoins.
What is the Petya Ransomware?
Similar to how the Wannacry ransomware operated, the Petya ransomware also spreads extremely fast through Microsoft based systems once infected using the EternalBlue vulnerability found in Microsoft Windows. Despite Microsoft releasing a patch for it, there are still companies and users who have not installed it yet.
The initial attack appears to have been through a software update that was built into an accounting program that companies who worked with the Ukrainian government needed to use. At least, that’s what the Ukrainian Cyber police have to say. Once the ransomware spread, it affected number of Ukrainian institutions such as the government, banks, state power facilities (including nuclear), and also Kiev’s airport and Metro systems. If you notice, I said nuclear as well. That’s because the radiation monitoring system at Chernobyl was also taken offline due to the Petya ransomware. This essentially meant that employees were forced to use manual counters to measure radiation levels at the former nuclear plant’s exclusion zone.
Things were about to get nastier
If you were infected by the Petya ransomware and you were planning to make the payment of $300 in Bitcoins, then you were also in store for another nasty experience. Rather than creating a custom email address for each victim as a ransomware would do, the Petya ransomware has only one email address to communicate with the hackers. This email address was thus suspended by the email provider Posteo, a German email provider, after they discovered that it was used for nefarious purposes. So even if you send an email with your payment, they will not receive it and therefore, your files cannot be decrypted. The only method then, would be to perform a fresh installation of the operating system. While this is somewhat of a hassle for average consumers on home desktops, it’s disastrous for commercial institutions as they cannot have downtime with their systems.
There are some experts who say that this ransomware is an updated variant of the Petya Ransomware that made an appearance a few years ago, while other say that it’s an entirely new threat. Either way, over 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US have been infected by this ransomware.
Staying safe from the Petya ransomware
Firstly, backup your files regularly and keep your anti-virus software up to date. While there’s no sure fire way to protect yourself as there’s no single patch that can provide complete protection. Nonetheless, it’s important to keep all systems patched and up to date. Along with that, administrators can also block the C:\Windows\perfc.dat from running. Further, they can also bolster system security by using Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges.
In addition, the ransomware infects computers and then waits for some time before rebooting the machine. While this process takes place, you can actually switch off the computer to avoid files from being encrypted. From there, you can attempt to backup and copy the files, and do a system reinstallation. If, however, you reboot the PC and are faced with the Petya ransomware screen, as stated above, do not proceed to make the payment as the email address has been shut down. All you can do is to disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup.