June 27th Global Ransomware Attack: the malware that rapidly spread across 65 countries – Petya
A global ransomware attack occurred on the 27th June, 2017, targeting computers using Microsoft Windows. Initial infections were observed in Ukraine, with infections in countries from the Americas, Asia, Europe, the Middle East and Oceania reported shortly after.
Microsoft’s Malware Protection Center (MMPC) have published a detailed overview of the ransomware’s functions, initial vehicles for its spreading, and information on protecting your devices from infection.
Much of what we recommend, to protect against the vulnerability which Petya targets, is a repeat of what Xyone recommended last month: install the critical security update MS17-010, keeping Microsoft Windows up-to-date, ensure that Windows Defender is enabled and running (as the current version detects this ransomware), and Disable Server Message Block version 1 (SMBv1).
What is it?
Initially reported to be a new version of WannaCry, yesterday’s ransomware which affected at least 65 countries, has been confirmed to be a new variant of Petya (which targets Microsoft Windows machines at an operating system-level) codenamed “NotPetya”. Petya ransomware was first discovered in 2016; similarly to yesterday’s attacks, the original Petya ransomware encrypted computers’ data in the attempt to make them unusable, demanding payment in order to restore each system to its former usability. However, this ransomware’s previous form was reverse-engineered in the same year to bypass this ransom screen and enable users to continue using their machine(s), removing the ransomware’s effects without payment being made.
This ransomware has worm capabilities, meaning that once it has infected one device on a network, it can spread across networks using worm-like behaviour to self-replicate and target more devices.
As stated in our response to the WannaCry ransomware attack last month, the National Crime Agency (NCA) advice on ransomware remains: “We encourage the public not to pay any ransom demand”.
What can I do to be protected?
Based on Microsoft’s guidelines following this attack, you can protect against this by:
- Using the latest version of your Microsoft products – Microsoft have released “cloud-delivered protection updates” and “updates to our signature definition packages” which protect against this new strain of the Petya ransomware.
- Keep your antivirus enabled and up-to-date.
- Applying a recently-released ransomware “vaccine” for Petya, a protective measure against the ransomware, found by cyber security researcher Amit Serper. Details on how to apply this fix can be found on technology news site BleepingComputer.
- Installing MS17-010 on all Microsoft Windows systems, if you have not already.