On June 27, 2017, the Petya ransomware began impacting multiple organisations, with local news reporting the encryption of files and halt to operations for multiple Australia based organisations.
Cadburys Australia (Tasmania) were hit with this screen in the above image when logging on (source: ABC Online) after an attack around 9:30pm Tuesday night. Other reportedly affected companies with Australian operations include TNT Express Australia, DLA Piper and AP Moller Maersk.
The attack has affected government and critical infrastructure operators, appearing to spread in a similar fashion to the May 2017 WanaCrypt0r/WannaCry attacks.
Several news sites are reporting that users are unable to get their files back, even after they pay up.
When it comes to security, there is no room for second best. It’s a matter of proactive offence, not reactive defence.
How the attack works.
While the initial infection vector is unclear, Petya likely attempts to spread to other hosts using the SMB protocol by exploiting the ETERNALBLUE vulnerability (CVE-2017-0144) on Microsoft Windows systems. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with MS17-010. Once a successful infection has occurred, the malware encrypts users’ systems and prompts demand of a $300 payment to return access. For detailed analysis on the Petya attack playbook, please see our blog from the Unit 42 threat research team.
Source: Palo Alto Networks
Preventions and protections:
MSS security partners Palo Alto Networks and SOPHOS have issued statements on the attack, along with updates on protection.
Palo Alto Networks has also issued these general steps for Windows users protect themselves:
- Apply security updates in MS17-010
- Block inbound connections on TCP Port 445
- Create and maintain good back-ups so that if an infection occurs, you can restore your data.
Petya is a ransomware family that works by modifying the Window’s system’s Master Boot Record (MBR), causing the system to crash. When the user reboots their PC, the modified MBR prevents Windows from loading and displays a fake “chkdisk” screen which indicates the computers hard drive is being repaired, but the malware is actually encrypting the users files. When this process completes, the malware displays an ASCII Ransom note demanding payment from the victim (Figure 1).
The threat of ransomware is real.
As Perth’s cybersecurity experts, the team at MSS are specialised in the custom development of a security solution to suit your needs. Call Kelly Webb on 1300 MSS4IT (677 448) to discuss the protection of your data.