Petya – Dos&Don’ts
Petya Ransomware also known as Petrwrap or GoldenEye affects Microsoft Windows based systems and encrypts the data MBR / NTFS in the system using SMB exploits which are not updated with the latest software patch updates. This ransomware outbreak although is smaller than the previous WannaCry attack, it had a considerable impact in Europe primarily Ukraine, Russia, UK, India etc.
How can it impact you?
The recent attack by Petya ransomware is another warning to enterprises about the possible catastrophe due to vulnerabilities in their networks or IT infrastructure. Petya Ransomware is spreading fast with Ukraine being the worst hit country in last couple of days. It uses the same exploit, which WannaCry had used to propagate itself and has created havoc in the recent past. The exploit has been provided with a patch by Microsoft way back in March 2017, but many organizations missed updating their OS and systems.
Eternal Blue was the exploit which was used by WannaCry and it uses the SMB protocol vulnerability to propagate throughout the network. However, Petya Ransomware not just encrypts the files but after encrypting them, tries to encrypt the MBR too, effectively rendering the infected systems un-bootable.
According to our findings, Petya was pushed through an update for MeDoc a financial software widely used by organizations in Ukraine.
How does eScan protect against Ransomware attacks:
eScan’s Proactive Behavioral Analysis Engine (PBAE) monitors the activity of all processes on the Local Machine and when it encounters any activity or behavior that matches to Ransomware, a red flag is raised and the process is blocked. In case, if an infected system tries to access network share of a protected system and encrypt/modify files residing on that system, PBAE will immediately terminate the network session.
Along with Petya, PBAE technology is also successfully blocking Ransomware attacks such as WannaCry, Locky, Zepto, Crysis, Cerber3 and many more. It does so, by analyzing the data collected through our Cloud (ESN) network, we are able to successfully detect and mitigate thousands of Ransomware attacks on all systems protected by eScan.
eScan’s Active Virus Control (AVC) also proactively protects the system from infection, when it is being executed in real-time. It’s not just the PBAE but also the AVC which identifies and blocks the execution of malware / Trojans, including all types and variants of Ransomware.
Prevention Measures:
- To stay safe from such ransomware attacks, all the organizations and users need to ensure that, the patches released by Microsoft have been updated or patched immediately such as below
- Administrators should block all executable files from being transmitted via eMails.
- Administrators should isolate the affected system in the Network.
- Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
- Install and Configure eScan with all security modules active.
- eScan Real Time Monitoring
- eScan Proactive protection
- eScan Firewall IDS/IPS Intrusion prevention
- Users shouldn’t enable macros in documents.
- Organizations should deploy and maintain a backup solution.
- Most important, Organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.
