As a security professional, which do you fear more: 1) explaining to your boss or CEO that your enterprise’s files are no longer accessible because they’ve been encrypted or 2) bungee jumping? I bet you and most of your security peers would choose the former.
Imagine it’s a bright sunny day, and one of your employees opens their mailbox to find an email about your enterprise’s revised HR policies. It seems like a legitimate email from a supposedly trusted source. The employee downloads the attached Word document and opens it. After a few minutes, their computer shuts down abruptly. When they restart it, a message comes up saying that their computer has been locked and all their files are encrypted.
That’s ransomware at work. And one of the latest ransomware attacks working its way around enterprise networks is Petya!
Petya – A sneak peek
Petya hit Windows-based enterprises across the UK, US, Ukraine, Singapore, and other parts of Europe last week. First reported on June 27th with an attack on a Ukrainian Bank, Petya seems to be a well-crafted ransomware attack that is not making the same mistakes as its predecessor, WannaCry.
Spreading largely through lateral movement inside enterprise networks, Petya seems to be a more targeted attack than WannaCry. So far, Petya has affected fewer computers and spread more slowly than WannaCry. However, Petya is much stronger than WannaCry, locking down all files and folders instead of only encrypting specific ones.
Petya’s mechanism for encrypting files is unique. While the complete picture of its working mechanism is still unknown, here are some tidbits:
- Petya is Master Boot Record (MBR) ransomware that affects the driver wherein the system’s boot files are stored.
- As soon as it enters a specific computer through a phishing email, Petya tries to get hold of the administrator password. With admin privileges, the “virus“ part of the program searches for the Master File Table (MFT), a database which has the location and information about every file and folder stored on the New Technology File System (NTFS).
- Meanwhile, the worm part of Petya moves laterally in the network by stealing the domain administrator credentials. If it can’t get hold of the admin credentials, it tries to spread through the shared network.
- The virus then creates a perfc.dll or perfc.dat file in the C:/Windows directory, and that file has instructions on what to do next. Specifically, it initiates a scheduled task, clears all traces of the attack by deleting the log entries, and finally shuts down the system.
- As the system reboots, the check disk scan is initiated which then kick–starts the encryption process before the antivirus and anti-malware software is started.
- The result? All the files and folders stored in the computer are encrypted.
The 4 best practices to guard your network from ransomware
Until the working of Petya is unveiled completely, it’s difficult to devise a defensive strategy. But don’t let that set you back. There are certain measures enterprises can adopt to prevent and handle any kind of ransomware attack.
1. Stay updated – Patch all your system vulnerabilities.
2. Don’t fall for phishing emails – Have a strong filtering tool in place.
3. Build a safety net – Store your passwords securely and back up files and folders regularly.
4. Tune your security solutions – Find correlations between security data gathered from across your network to gain better visibility and instantly detect any ransomware-related anomalies.
We’ve also come up with a guide that describes these best practices in greater detail. Check it out.
