A month after the WannaCry ransomware attack paralyzed connected systems worldwide, a new ransomware ‘Petya’ is spreading around the globe speedily.
Like WannaCry, ‘Petya’ ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone would have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry”.
Petya uses three mechanisms to spread to additional hosts.
Petya scans the local system 24/7 to discover enumerate ADMINS shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.
How To Avoid Wannacry Ransomware
The general public is advised not to panic as demonstrated during the WannaCry attacks in May, 2017. Windows systems should be patched for this vulnerability by competent personnel. Organisations should take necessary precautions because the spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.
Importantly, please note and observe the following:
- Do not click on any suspicious or unknown links.
- Protect yourself when using public Wi-Fi.
- Do not visit unsafe and unreliable sites.
- Avoid clicking on links that leads to websites such as Facebook, Instagram, WhatsApp etc. Instead it is much safer to visit the site directly through their URL.
- If you receive a message or email with an attachment, try to verify authenticity of the sender before opening.
- Do not open attachments from suspicious senders.
- Store all your documents in ‘my document folder’.
- Keep your files backed up regularly.