Petya: what is it and how can you protect your company?

Unless you are living under a rock, perhaps even if you ARE living under a rock, you have by now heard of the “Petya” cyberattack that has hit 65 countries as of this morning. There is a LOT of varying information coming from many sources and all of it can leave one feeling dizzy. So, let’s get to the important questions: What is Petya and how can you protect your business from this attack and others like it?

What Is Petya?

The current Petya ransomware virus is a more sophisticated version of a Petya virus that surfaced last Spring. Because this is a new version of the original Ptra virus, it is also being called NotPETYA, GOLDENEYE and/or PETR. While Petya is being compared by many to the WannaCry virus that struck last month, it is important to note that thus far Petya seems to be spreading at a slower rate. However, many have noted Petya attacks newer systems (unlike WannaCry) and so far, shows no indication of a “kill-switch”. Petya can worm through computer networks, gathering passwords and credentials and spreading. Here is what happens on the infected user’s end: after a self-imposed delay of at least 10 minutes the malware uses a reboot to encrypt files, users then see a phony black-and-white "CHKDSK" message on their screen that claims an error has occurred and that the system is checking the integrity of the disk. Experts say this is the last chance for users to power down their computers and protect their files before they are encrypted and held for ransom.

Victims of Petya include: airports and ATMs in Ukraine, the massive shipping company Maersk, the Merck drug company, hospitals in the U.S. and even a major law firm with offices in London & the U.S. The ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. The account had been receiving payments (around $10,000) until a German email company blocked the email address the hackers were using to collect ransom payments. This has caused some controversy as the user’s files that were held hostage are no longer able to connect with the point of contact to retrieve the data.

Petya’s initial attack vector appears to have been the accounting software M.E.Doc (Ukrainian company). A malicious software update was pushed, that was executed by clients in an automated fashion. The attack initially targeted organizations that were using M.E.Doc, but the worm also spread to other (connected) organizations that were not related to M.E.Doc.

How Can You Protect Your Business?

Feeling a little dizzy yet? Good! Not that we want to cause you complete panic, but incidents like this are a good motivator to get your company’s plan of action in place. We like to compare this to the “check engine” light in your car. There are those drivers that never see that light flashing (while possibly being broken down on the side of the road) because they take the time to do regular checkups and responsible maintenance. It is important to get together with your internal team and ask the following questions:

  • Does your firm/company participate in security awareness training?
  • Are all your workstations and servers patched and updated?
  • Do you have a business continuity solution like DATTO, where you can restore files and servers in minutes rather than hours or days should another attack happen?
  • Have you contacted Hilltop to review your IT infrastructure, business continuity, and recovery time objectives?

What Hilltop can offer to our clients:

  • Perform a network scan to identify systems on which the TCP ports 139 and 445 are open. Close ports if open and not in use.
  • Perform a vulnerability scan to identify machines which are missing the MS17-010 (and the KB2871997) patch. The patch may not prevent the infection but it will stop spreading within the network.
  • Perform an audit of administrative credentials to identify if there are passwords shared between multiple machines. If this is the case, the systems which can be accessed using these administrative credentials are vulnerable to one of the spreading and infection methods used by the malware.
    • The most important accounts to focus on during this audit are accounts with elevated privileges such as local Administrator accounts and domain accounts with local administrator privileges.

Contact us to learn more about this matter and how Hilltop can help protect your business against attacks like Petya.

Note: Fully patched machines can also be infected via the network disturbing proposition. The Microsoft patch MS17-010 protects Windows systems against direct infection by the EternalBlue and EnternalRomance NSA-exploits. The Petya malware can extract local Administrator and domain credentials from systems that are initially infected. The malware can leverage these administrative credentials in combination with legitimate Microsoft tools and protocols (PSEXEC and WMI) to infect fully patched Windows systems.