Thursday, 29 June 2017

Petya ransomware is affecting users globally

Petya Ransomware that is affecting users globally. This clearly looks like early signs of a new ransomware attack that is spreading fast across the globe. Currently, we have seen multiple reports of this ransomware attack from several countries
Our Analysis Shows
Petya delivery mechanism is by scam emails or phishing emails. Once the email attachment is executed on the computer it shows the prompt of User Access Control. However, after executing the program it encrypts the Master Boot Record (MBR) and replaces it with a custom boot loader with a code to encrypt the full disk starting with MFT (Master File Tree) and leaves a ransom note to users. Upon successfully encrypting the whole disk of the computer it shows below ransom promp.

ransomware infection where an exploit called EternalBlue targets the security vulnerability MS17-010. This is the same vulnerability which WannaCry Ransomware has been exploiting to spread. 
Preventive steps and recommendations
  1. Avoid clicking on links in email received from unknown sender
  2. Apply all Microsoft Windows patches including MS17-010 that patches the Eternal Blue Vulnerability
  3. Ensure you take a backup of your data to some external disk regularly.
  4. Avoid login to computer with Administrative privileges. Work with user account that has standard user privileges and not administrative privileges..
  5. Avoid login to computer with Administrative privileges. Work with user account that has standard user privileges and not administrative privileges.

    6.  If a threat is executed in my computer, can I still prevent my data?
    If by mistake someone executes the threat on an unprotected computer by clicking on the link in the email and downloading the attachment, and if you see a BSOD (blue screen) that restarts your computer, you can still save your data by not restarting the computer. Just keep it switched off.
    When you see the BSOD screen and the system re-starts only the MBR is replaced and your data on the disk is still intact and it can be accessed by mounting the hard disk on some other clean system. Make sure you do not boot the infected computer hard disk at that stage. Once mounted the data can be accessed and copied.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)