바로가기


Worldwide Petya ransomware attack spreading quickly like WannaCry..




Ransomware is a type of malware that infects a computer and restricts users’ access to it until a
ransom is paid to unlock it. Ransomware has been around for a several years; however, in the recent years, attacks have increased, and have become highly targeted and sophisticated. In the last couple years, several thousands of computers have been affected by Ransomware which are designed to extort money from users and organization

Recently, a ransomware known as Petya has appeared Worldwide, especially Russia, Ukraine, Spain, France, UK, India, and Europe. This ransomware was shutting down computers at corporates, power supplies, banks and demanding $300 in bitcoins. The most severe damage has been reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier.

Petya works very differently from any other ransomware. It reboots victim’s computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. It replaces computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot. Petya uses the NSA EternalBlue exploit but also spreads in internal networks with WMIC and PSEXEC.


What can we do to prevent Petya:

* Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability

* Consider disabling SMBv1 to prevent spreading of malware.

* Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know

* Ensure you have the latest updates installed for your anti-virus software, vendors are releasing updates to cover this exploit as samples are being analysed.

* Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share.

* Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.

* Operate a least privileged access model with employees. Restrict those who has local administration access.

What should you do if you are affected by the Petya ransomware?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine.

NB: The incident should be reported immediately to RW-CSIRT: HOTLINE 4045 and email to: security@rdb.rw