Spanning back to the early 1990s and making a brief reappearance in early 2016, a variant of Petya (also called Petrwrap) Ransomware has resurfaced once again, this time referred to as Petya A or NonPetya.
The recent attack hit companies, public health care and government organisations as well as airports from the US, Russia, Ukraine, Germany, France, Italy Poland and the UK. This new and more robust version was inspired by the recent WannaCry attack in May. Much like the WannaCry ransomware attack, this new strain of virus also requires the victim to pay a digital ransom through Bitcoin in order to regain control of their data.
However, with this particular ransomware criminals do not encrypt all files on your computer, but rather attack a part of the operating system called the Master File Table (MFT), which then overwrites the MBR (Master Boot Record).
Impact of Petya
The MFT is critical for the system to know where to find files on the computer. It holds the same effect as if each file had been locked separately. Why is this significant? It is a lot faster to attack the MFT than to encrypt each file separately, which can make this a seamless and fast-moving attack.
According to researchers at the computer security company, Symantec, the new attack is using the same hacking tool (Eternal Blue) that was initially created by the National Security Agency (NSA) to combat the WannaCry Ransomware. The tool was leaked last April by a group known as the Shadow Brokers.
According to a researcher at Armor, the Petya attacks are projected to be much more damaging than WannaCry, with thousands of dollars of ransoms already reported to have been paid to the hackers. So far there is no obvious killswitch with this virus, which has proven to be difficult in mitigating the effects. As this version of Petya carries significantly upgraded features, it is expected to infect the latest and even patched Windows PCs, including version 10, whereas WannaCry focused primarily on older systems.
If infected by Ransomware…
Even with the best precautions and policies in place, it is possible to fall victim to an attack. In the event that your data is held hostage by Ransomware, here is some advice to keep in mind:
- Remain calm. Rash decisions could cause further data loss. For example, if you discover a ransomware infection and suddenly cut power to a server, versus powering it down properly, you could lose data in addition to the infected data.
- Check your most-recent set of backups. If they are intact and up-to-date, the process of restoring data to a different system becomes easier.
- Never pay the ransom because attackers may not unlock your data. There are many cases of Ransomware victims paying the ransom demanded and not receiving their data in return. Rather than running this risk, companies should work with data recovery experts who may be able to regain access to the data by reverse engineering the malware.
- Contact a specialist for advice and to explore recovery options. A reputable data recovery company can examine your scenario to see if we have a solution already in place or if we are able to develop one in time.
To date, data recovery engineers at Kroll Ontrack have identified over 225 variations of ransomware that infect user devices and there are more variations created every day, plus others that may not have been reported already.
Stay up to date
Like we mentioned in a previous post, it pays to ensure that all of your systems have all of the latest security updates installed so you are safeguarded against any exploits. There have been reports that security researchers have found a method of preventing a machine from being infected, but this doesn’t help stop the spread of the virus to other computers on a network, therefore updating all of your systems should be a priority in the interest of data security.
Have you or your business been affected by Petya, WannaCry or another form of ransomware? Get in touch with us by tweeting @KrollOntrackUK