The Petya Ransomware Outbreak: What You Need to Know
Early on June 27, 2017, public systems in Eastern Europe began showing signs of the Petya ransomware outbreak. This quickly spread throughout mainland Europe, affecting global law firm DLA Piper and logistics company Maersk. There have been reports of outbreaks in the U.S., but none have been confirmed at this point.
What is the Petya Ransomware Outbreak?
This ransomware uses fake résumés in phishing e-mails to convince targets to open and run a malicious installer. Similar to Wannacry, this ransomware can spread internally using the ETERNALBLUE exploits. It’s also using other means to spread around networks (such as WMI and PSEXEC) that are unique to Petya. This is a good example of how attackers are getting better and better at spreading ransomware.
Like all ransomware, the goal of Petya is to extort money from victims.
What’s unique about this outbreak and Wannacry is how quickly and effectively the ransomware spreads once it’s inside a network. By using the ETERNALBLUE exploits and Windows tools, it spreads rapidly, making it impossible to clean up quickly. This helps achieve their end goal of extorting money because its widespread nature increases the likelihood a victim will pay.
At this point, we haven’t seen any impact in the U.S. and we don’t think there will be. There may be some isolated incidents, but it’s not going to affect entire sectors or more than a few consumers.
Why? At this point, we believe they aren’t targeting this market. We may never know for sure because people tend to not report the ransomware and the phishes that target them.
What Authorities Are Doing About Petya
Authorities, working with the email provider of the attackers, have blocked the account used in the attacks. This means that, for companies or people who are targeted, paying the ransom is a waste of money. The attackers will not even be able to help you get your files back. This is the first time we’ve seen any type of action like this. Normally attackers would require their victims to go to an untraceable site on the Dark Web for support and Bitcoin to pay the bill. In this case, they only used an email account to collect payment and talk to their victims.
Attackers have been developing innovative ways to collect money from people, but it looks like this experiment was a failure. They had very little success from a monetary standpoint, and were stopped fairly quickly. However, you should expect attackers to continue to come up with better ways to steal while avoiding the authorities. So it makes sense to use this as a test case to learn how to protect yourself.
What You Should Do About Petya
Our goal is to make ransomware a non-event for your organization. With some basic security hygiene and some wise technology choices, we think we can get there.
As we recommended with Wannacry, ensuring that your devices’ software is updated is priority number one. Work to find every device that needs patching and patch it as quickly as possible. Petya will find vulnerable systems if you don’t.
We’ve also started recommending the use of cloud based email and document editing services such as Google Drive and Office365 in order to defeat ransomware. Be cautious of using any sync tools or mounting these services as network drives, because then ransomware will be able to find your files and encrypt them just as it would if they were stored locally.
Beyond these basic precautions, be very cautious of what emails you are opening. In this case, attachments that look like fake resumes are the culprit. Until this blows over, don’t open any attachments unless you were expecting them from the sender. Generally speaking, it’s a good idea to approach any email communications with a healthy dose of skepticism.
Our analysis team has also added the domains where the attackers are hosting their ransomware to our blackhole. So, even if your users click on the phish, we’ll stop it, identify the user, and provide them with targeted phishing education. If you’re using Strongarm, there’s no reason to worry about Petya. Phew.
If any other major developments take place, we’ll keep you updated.