A ransomware attack that has been referred to as Petya (though it is technically a different malicious attack and is being called NotPetya by security researchers) began spreading to computer systems around the world Tuesday, hitting government systems in Ukraine and corporate networks in Russia, Britain, Denmark and the United States, among others.
The attack makes use of the same exploit that led to the spread of the WannaCry ransomware earlier this year — an attack that resulted in the infection of hundreds of thousands of computer systems in more than 150 countries. Luckily, there are ways to protect against these types of attacks to ensure against becoming a victim.
Petya — or NotPetya, as Kaspersky Lab has labeled the attack after discovering it is not the same strain of the Petya ransomware but rather an entirely new one that used Petya as its framework — makes use of the EternalBlue and EternalRomance exploits in Windows operating systems, both first discovered by the U.S. National Security Agency.
Those vulnerabilities were stolen from the NSA by a hacking group known as the Shadow Brokers, but the NSA disclosed the method of attack to Microsoft. Microsoft released a patch for the vulnerability in March for current operating systems and issued an emergency patch for the exploit on outdated machines in May as WannaCry began spreading.
“Keeping systems up to date, good cyberhygiene, would have worked” to prevent the spread of this attack, McAfee chief scientist Raj Samani told International Business Times.
Data provided to IBT by cybersecurity firm Avast showed there are at least 38 million PCs worldwide that have not yet patched their systems with the security update that would stop the spread of attacks like WannaCry and Petya. That figure comes from the company’s Wi-Fi Inspector service, and the number of computers that are at risk is likely higher, potentially significantly so.
It’s also worth noting the Petya attack requires local administrator access to deliver its malicious payload. Restricting administrative rights only to machines that absolutely need it can help prevent the spread of such an attack. For individual or home users, setting up a standard user account for day-to-day use can help avoid an admin account being compromised.
Another method to prevent the spread of the Petya attack is to disable the ability of Windows to reboot automatically after a crash. Microsoft provides a guide for doing just that. While it may seem inconvenient, it can provide an opportunity to stop Petya before it can encrypt files.
Once executed, Petya overwrites a machine’s master boot record with a custom boot loader that begins the process of encrypting a system’s files on reboot. Once the master boot record is altered, the machine will crash and relaunch to begin the encryption.
Once that process is complete, the ransom displays on screen and the rest of the machine becomes inaccessible — and some reports indicate that paying the ransom will not recover the files. Interrupting that process potentially can stop the damage from being done.
Finally, it is advised to always keep a backup of your files in case of such an attack. Whether it be Petya, WannaCry or another attack that compromises a machine or locks or deletes files, the best way to make sure you always have access to your most valuable information is to keep more than one copy of those files.