The latest attack the world has seen
recently is a variant of the
Petya ransomware virus. As of this writing, it appears a new variant of Petya
has been released with EternalBlue exploit code built in, which WannaCry utilized
to propagate around organizations.
Unlike WannaCry, Petya is a different kind of ransomware. Common
delivery methods are via phishing emails, or scams. The payload requires local
administrator access.
Prevention
Tip #1: The malware requires administrator rights to the local computer.
Standard users should not have this in permission. Consider restricting who has
local admin rights to prevent execution of exploit code within organisations.
Home users should also consider using a Standard User Account for day-to-day
operations.
Once executed, the system’s master boot record
(MBR) is overwritten by the custom boot loader, which loads a malicious
kernel containing code that starts the encryption process.
Once the MBR has been altered, the malware will cause the system
to crash. When the computer reboots, the malicious kernel is loaded, and a
screen will appear showing a fake Check disk process.
This is where the malware is encrypting the Master File Table
(MFT) that is found on NTFS disk partitions, commonly found in most Windows operating
systems.
It is when the machine is rebooted to encrypt the MFT that the
real damage is done.
Prevention
Tip #2: Some Windows systems are configured to automatically reboot if it
crashes. You can disable this feature in Windows. If you can prevent the MFT
from being encrypted, you can still recover your data from your local disk.
Click here to learn how to do this.
Once the fake Check Disk is complete, the end user is presented
with a ransomware page to find out how to go about recovering their data by
paying an amount of money.
In addition to the prevention tips listed above, below are some
recommendations that will help protect you from such an attack, and how to minimize
the impact:
RECOMMENDATIONS FOR
COMPANIES
- Deploy the latest Microsoft patches,
including MS17-010 which patches the SMB vulnerability
- Consider disabling SMBv1 to prevent
spreading of malware
- Educate end-users to remain vigilant
when opening attachments or clicking on links from senders they do not
know
- Ensure you have the latest updates
installed for your anti-virus software, vendors are releasing updates to
cover this exploit as samples are being analyzed
- Ensure you have backup copies of your
files stored on local disks. Generally, user files on local drives are
replicated from a network share
- Prevent users from writing data
outside of designated areas on the local hard disk to prevent data loss if
attack occurs
- Operate a least privileged access
model with employees. Restrict who has local administration access
RECOMMENDATIONS FOR
END-USERS OR HOME USERS
- Ensure automatic updates are turned on
and the latest security patches are applied
- Update your Antivirus software to the
latest version and the signatures are up-to-date
- Ensure you have enabled User Access
Control on the endpoint and consider operating as a standard user and not
a user with administrative privileges
- As a home user, consider using a cloud
backup or online storage provider, such as DropBox, Google Drive and Microsoft
OneDrive. As files are changed, they are updated in the cloud
Petya does not encrypt the files themselves; it encrypts the
Master File Table, which is an index of where all the files are stored on a
hard disk drive. Without the index, it makes it incredibly difficult to
identify where the files are on the disk.
No comments:
Post a Comment