It’s no secret that ransomware is continuing to grow, and it is an even bigger problem in 2017. Even though the number of malicious executable files we observed in 2016 has dropped, trends show that polymorphism has become the norm, phishing life cycles keep getting shorter, and the number of malicious Android apps is skyrocketing.
It has never been more important to backup all data you would be afraid to lose. If you use your computer for business or school, it is essential that that information is backed up as not only do hard drives fail all the time, but many of these new malware programs will encrypt all data on your system, making unretreiveable unless a randsom is paid. Even in the even this is paid, most of the time the data will stay locked and permanently out of reach.
We have received several reports of a new and ongoing ransomware attack called Petya. Petya appears similar to the WannaCry ransomware that made headlines last month in that it uses something called the ExternalBlue exploit to propagate itself. In addition to encrypting files, Petya also overwrites and encrypts the master boot record (MBR). Petya ransomware attacks reportedly began in various countries across Europe before quickly spreading to Canada.
The Technical Stuff
This attack leverages the same vulnerability as WannaCry. If you’ve already patched for WannaCry (MS17-010) you are also protected against Petya.
Petya is a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note, preventing victims from booting their computer. Victims are asked to pay $300 in Bitcoin to recover their files.
These attacks were initially made possible after a hacker group called Shadow Brokers publicly released a collection of hacking tools and exploits that were stolen from the NSA (National Security Agency) on April 8th of this year. Among these NSA tools were EternalBlue exploit and DoublePulsar backdoor which took advantage of the SMB vulnerability. Various security researchers have recently reported that there are multiple variants of WannaCry circulating in the wild including some containing different kill switch domains or no kill switch at all; and that means no way to get your encrypted data back!
What We’ve Done
My Tech Guys run the update on every computer we get out hands on and have backup programs available now. Buy a 1TB hard drive and we are throwing in the set up of your first backup for only $149.99.
What Do You Need To Do?
Firstly make sure your windows is up to date. This most recent exploit is stopped by installing the security update for MS17-010 on all unpatched Windows systems as soon as possible. The issue is that it is a constant tug of war between operating systems and hackers, so the only real security you have is backing up your data. If you already have a backup, we recommend double checking that it not only is still backing up, but also backing up the areas of your computer you need backed up.
My Tech Guys recommends the following steps to help protect your tech environment:
- Maintain a strong backup strategy
- Always keep systems and application software up-to-date through patching
- Deploy and maintain an up-to-date antivirus program
- Replace outdated computer operating systems with supported versions
- Maintain strong, trust-only access controls using the principle of least privilege
- Utilize and enforce strong passwords
- Restrict physical access to network appliances to trusted administrators
- Collect and monitor logs and applications that have access to data
- Educate users through a robust security awareness program
- Establish and maintain a breach response plan
- Use proactive, defense-in-depth approaches to security