Less than two months ago, WannaCry made the headlines as the most destructive malware in the history. This time the world faces a new virus which uses the functionality of Petya ransomware: Petrwrap. It has already hit many companies and institutions from different countries including Merck, Rosneft, Maersk, Mondelez, causing severe operational disruptions.
How Petrwrap infects computers
The new version of Petya initially arrives in an email. Once it infects a computer, it will try to infect other computers in the same network, automatically. This is possible if those computers are vulnerable to the EternalBlue exploit, the same vulnerability used by WannaCry to spread automatically.
Apart from exploiting the SMB vulnerability, this malware also attempts to use the security context of the currently logged user (it tries to use her credentials) to spread to other accessible machines in the network, even if they are fully patched.
Once the virus starts to execute, it encrypts files of several types found on the machine. Unlike other ransomware, Petrwrap overwrites the content of the original file with encrypted data, without changing the file extension. Also, it doesn’t encrypt image files.
It also attempts to change the Master Boot Record of the system disk and creates a scheduled task that reboots the computer.
After reboot, it launches itself before the operating system. When it has full control of the machine, it will check the whole system (again) and encrypt the files.
Finally, it shows the ransom note. Victims are asked to pay $300 to be able to recover their files.
Once the computer is infected, apparently there is no chance to decrypt the files, and the system will not boot anymore in Windows.
The email address associated with the ransom payment is disabled now, so users must not pay the ransom, as they won’t recover their files even if they pay.
The only way to have the machine operational again is to reinstall the operating system and restore the files from a backup image.
How to protect computers from ransomware like Petya
Petya is an advanced ransomware, and the best option to protect against it is to use professional anti-ransomware products that offer MBR protection.
Keeping the operating system up to date is also a must. Users and administrators must turn on Windows auto-update or apply the latest patches through specialized applications.
Apart from patching and using dedicated anti-ransomware products, users must pay special attention to emails containing links or suspect attachments. Examples of such attachments are documents referring to bills, reservations, delivery and so on. Unless the sender is well-known, it’s better to avoid opening documents attached to emails. If an email seems legit and the user opens the attached documents, it is important not to enable document macros or other similar features.
The last resort that can save users when facing a ransomware attack is a functional and secure backup system.
How we can help
First of all, we highly recommend applying the Microsoft patch which eliminates the SMB vulnerability mentioned earlier. Click here to download the patch from the official location.
Secondly, as a permanent solution, we can help keeping ransomware at bay through TEMASOFT Ranstop, our dedicated anti-ransomware software which protects computers from common and zero-day ransomware. Ranstop offers MBR protection, which is particularly effective against ransomware like Petya. It also uses a combination of behavioral detection engine and real-time backup which secures files against malware threats.
In particular, we tested TEMASOFT Ranstop against Petya, and it caught the malware in a few seconds; and no user document was lost.
A free trial of Ranstop is available at https://temasoft.com/ranstop-anti-ransomware/#download.
We hope this information helps you understand the nature of the attack and what you can do to avoid it. If you have questions or need more details, don’t hesitate to contact us.
Last, but not least, stay up to date with the latest developments by following us on social media and subscribe to our newsletter.