Security Advisory: Petya Ransomware

Threat Level: High

Threat Type: Ransomware

Advisory Date: 07/13/2023

Description

The latest attack the world has seen recently is a variant of the Petya ransomware virus. It appears a new variant of Petya has been released with EternalBlue exploit code built in, which WannaCry utilized to propagate around organisations.

Petya uses common delivery methods are via phishing emails, or methods to get you to visit untrusted websites.

Impact

Ransomware is a type of malicious software that blocks access to the victim's data until a ransom is paid. Files are not likely to be recovered, even if the ransom is paid. Thus, prevention methods such as patching and ability to recover via backups are critical.

Preparation Tips:

A successful exploit of the payload requires local administrator access. Thus, it is recommended that standard users should not have this permission. Users should not be running as administrator on their systems. Rather, a standard user account should be used for day-to-day operations. Users should only elevate to administrative users when required.
While no instances have been noted at the University of Regina, damage can be limited if managed appropriately. Once infected, the system’s master boot record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process. Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems. It is when the machine is rebooted to encrypt the MFT that the real damage is done. Thus, if a machine crashes, reboots and presents a diskcheck process, powering down the system will minimize encryption. If you can prevent the MFT from being encrypted, you can still recover your data from your local disk.
Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability (Eternal Blue).
Ensure you have the latest updates installed for your anti-virus software.
Ensure you have backup copies of your files stored on local disks.
Do not utilize local administrative accounts unless required. Operate with a least privileged access model, where the least permissions possible are utilized.
Ensure you have enabled User Access Control on the endpoint and consider operating as a standard user and not a user with administrative privileges.
Running only supported operating systems so that patches are available and applied automtaically.
When connecting to a non-university network, such as at home, ensure that firewalls are in place to minimize exposure, especially on ports related to SMB.

Resources

Microsoft Patches for MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx