Highly evolved ransomware wreaks havoc across europe

June 30, 2017 - 3:37 PM
Computer codes are seen in a Reuters file image.

MANILA, PHILIPPINES — Global IT security firm Sophos has determined that a new variant of Petya ransomware (also known as GoldenEye) is behind the serious online outbreak that spread across Europe, Russia, Ukraine and elsewhere Tuesday this week. Others in the security industry are calling it PetrWrap.

The massive cyberattack disrupted computer systems at Russia’s Rosneft, one of the world’s biggest crude oil producers, Ukrainian banks and multinational corporations.

Petya was first discovered in 2016 – it is ransomware that encrypts MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving the victims unable to boot their computers. Its new variant is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected.

The resurgent Petya strain now includes the EternalBlue exploit as a way to propagate inside a targeted network. The exploit attacks the Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit still proved instrumental in last month’s spread of WannaCry.

GoldenEye breaks admin passwords in the attempt to infect other PCs on the network using remote admin tools. It runs credential-stealing code to break user account passwords then deploy ransomware. To infect remote computers, it comes bundled with a legitimate remote admin tool called PsExec from Microsoft’s SysInternals suite.

Sophos customers using Endpoint Protection are protected against all the recent variants of Petya ransomware.

Those using Sophos Intercept X have been proactively protected with no data encrypted from the moment this new ransomware variant appeared.

Other users can apply defensive measures such as:
• Ensure systems have the latest patches, including the one in Microsoft’s MS17-010 bulletin.
• Consider blocking the Microsoft PsExec tool from running on users’ computers. A version of this tool is part of another technique used by Petya to spread automatically. You can block it using a product such as Sophos Endpoint Protection.
• Back up regularly and keep a recent backup copy off-site. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands. Backing up is also a good habit considering that there are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete.
• Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts, and you use attachments a lot in your job.