Jaclyn McRae 28 June 2017 12:50:03 AEST 5 MIN READ

Petya ransomware outbreak: What we know

Another major ransomware outbreak is today affecting businesses around the world.

Cadbury’s Hobart plant and Australian staff of global law firm DLA Piper are reportedly among the businesses impacted by Petya.

Qantas customers have also been affected by a widespread IT outage, but the airline says that is an unrelated issue caused by its booking system.

Details are still being pieced together; with an estimated 22 million new malware variants identified in the first quarter of 2017, it can take time to achieve a consensus on emerging outbreaks.

Keep an eye on our blog for updates throughout the day.

Petya outbreak: What we know so far

  • MailGuard has not had any customer reports of infection via Petya or its variants. We’re confident we won’t see this malware variant affect customers via emails protected by MailGuard.
  • Petya ransomware locks computers and holds users’ files to ransom. The amount demanded appears to be $US300
  • Unlike WannaCry and other ransomwares, Petya doesn't encrypt files: it targets the whole disk
  • Some theories suggest the attack vector is a malicious attachment delivered via email. However, there has been no confirmed sighting of the original method of delivery.
  • Some unconfirmed reports claim the Petya ransomware originated in Ukraine via tainted accounting software.
  • There is also speculation that this is an entirely new form of ransomware - it's been dubbed #notpetya in some circles.
  • Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, said at midday the Government was working to confirm that two Australian businesses had been affected by the ransomware outbreak. “I urge all businesses to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300 CYBER1) for more information and to contact the ACSC if you have been infected," Tehan said.

Other observations

If opened, it appears to take advantage of a remote code execution vulnerability (CVE-2017-0199) in Microsoft Office and WordPad by executing a malicious download

  • Petya tries to run a CHKDSK command on disk. This is the first indication of a problem. It means the malware is attempting to encrypt the entire disk of the infected device.
  • If you are a Windows 10 user, the Applocker feature can be used to stop the execution of the file perfc.dat which is the script executor.
  • Last time Petya was seen was early 2016 and was used in partnership with its twin malware Mischa.

Here's what the ransom screen looks like:

Petya ransom image MailGuard.png

Important: if you see the CHKDSK running, immediately power off the machine to interrupt the process. You'll next need a recovery disk or LiveCD to attempt recovery of the machine.

Advice from Stay Smart Online

“Stay Smart Online is urging Australians to apply latest software updates to protect against a new global ransomware campaign which impacted a range of countries overnight.

“There are very simple steps you can take to reduce the risk of your personal and business records being impacted by Petya ransomware. The top two steps are:

  • Immediately install the latest Windows updates for applications, software and operating systems.  Note that updates are also available for Windows XP.
  • Confirm that backups are available and working – guidance on backups is available for businesses and individuals and households.”

What people are saying about Petya:

“It's like the NSA built a kind of digital Ebola, used it secretly for five years, and now it's out in the wild. #Petya” – Nicholas Thompson, Editor in Chief, Wired.

“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.” – Shipping Giant Maersk, which handles around 25 percent of all containers shipped from Asia to Europe route.

“Our advice is you don’t ever pay a criminal … There is no knowledge that they will actually unlock the system.” – Alastair MacGibbon, special adviser to the Prime Minister on cyber security.

What you should be doing to protect your business from malicious attacks including ransomware

  • Education is vital. Cybersecurity is a leadership responsibility; not an IT issue. Get up to speed in under an hour with our free cybersecurity survival guide
  • Back-up! Have a recovery system in place so a ransomware infection can’t destroy your data forever. Here's some great advice from Cyber Management Alliance's crowdsourced Petya intelligence forum: It’s best to follow the 3-2-1 backup method: three backups of your data, two that are onsite and one that is offsite. Options include one backup set stored in the cloud (remember to use a service that makes an automatic backup of your files), and one stored physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your backup copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure. Test that they work!
  • In the words of Alastair MacGibbon at our recent CxO cybersecurity lunch series, “Never let a good crisis go to waste.” You may have escaped unscathed this time, but is your company protected against the next big attack?
  • Stay up to speed with the latest threats targeting businesses. Sign up to the MailGuard blog for regular alerts.
  • Employ state-of-the-art, real-time email and web security. For just a few dollars per staff member per month you’ll significantly reduce the risk of new variants of malicious email from entering your network.
  • Talk to one of MailGuard’s cyber experts today for a discussion about the cyber-readiness of your business.

Keep Informed with Weekly Updates

 

^ Back to Top