The WannaCry Ransomware Cyberattack which took place 2 months ago should have been a wake-up call to companies worldwide to update their I.T. infrastructure, but how many companies took proactive steps to ensure it wouldn’t happen again?. Yesterday a new variant of Petya Ransomware was unleashed, starting in the Ukraine and then spreading to Russia and beyond. Over 2000 companies were affected including Russia’s top oil producer, Rosneft, and computers at the Irish offices of WPP and Maersk shipping.
Sophos Group plc the well-known security software and hardware company told Irish Tech News:
“Sophos is responding to a new variant of the Petya ransomware family that has affected organisations across Europe. Petya was first discovered in 2016 – it is ransomware that encrypts MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving victims unable to boot their computer. This new variant is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected.
“Sophos customers with Sophos Endpoint Protection products are protected against this new variant. Sophos Intercept X customers were proactively protected with no data encrypted, from the moment this new ransomware variant appeared.”
Sophos also gave the following tips for Irish Tech News readers:
- Ensure systems have the latest patches, including the one in Microsoft MS17-010 bulletin
- Consider blocking the Microsoft PsExec tool from running on users’ computers. You can block it using a product such as Sophos Endpoint Protection. A version of this tool is used as part of another technique used by the Petya variant to spread automatically
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands
- Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job
- Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk
What does the Petya Ransomware do?
The Petya ransomware encrypts files and documents on an infected machine, like most ransomware and it also replaces the original Master Boot Record (MBR) of an infected machine so that this computer can no longer boot into Windows. The new boot code is used to show the ransomware note and explains how to pay the ransom. Sophos has detected and protected customers from several further variants in the last few hours.
How does it infect a computer?
Sophos is still analysing how this threat first enters a company network, but they have noticed that this new outbreak uses the “EternalBlue” exploit as a way to spread within a network after the initial infection. The exploit attacks vulnerable Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in the spread of WannaCry last month.
The new Petya variant can also spread by using a version of the Microsoft PsExec tool in combination with admin credentials from the target computer.
Keep an eye out for Irish Tech News podcasts on Ransomware and other threats that cybercriminals pose to businesses.