It’s only been a relatively short time since WannaCry hit the Internet. The ransomware utilized code leaked from the NSA that utilized the advantage of particular security issues with Windows systems.
On June 27th, a new ransomware attack was unleashed called PetyaWrap. It’s a new variant of the initial malware called Petya. However, PetyaWrap resembles WannaCry-type attack techniques.
What is PetyaWrap?
The essence of PetyaWrap relates to a 2016 ransomware program called Petya. Petya achieves what the majority of malware no longer attains, which is tampering with the boot sectors of the victim’s hard drive.
Nearly all malware deploy high-level programming to encrypt files and transmit a message to the victim which is to send money to the malicious threat actor, or all data is obliterated.
Rather, Petya leaves the files all in one piece and erases vital indexes stored in boot sectors, resulting in the Windows operating system no longer being bootable. There is no master file table which results in the computer being unable to access the critical files. Hence, Petya modifies the Master Boot Record of the system. This is one of Petya’s capabilities which separates itself from the WannaCry ransomware.
The majority of ransomware authors halt at the encryption attack. Nonetheless, PetyaWrap accomplishes more than merely ransom files. PetyaWrap also behaves similarly to a worm by seeking to self-propagate across a local network. This illustrates the differentiation between PetyaWrap and WannaCry which attempted to infect computers over the web. For instance, PetyaWrap aims for computers connected locally within a network.
PetyaWrap does not require emails or phishing attempts to disseminate across a network. The infamous ransomware has already resulted in massive damages for numerous global enterprises like Maersk.
Microsoft states that PetyaWrap originally emerged from the MEDoc updater process.
The PetyaWrap ransomware spreads utilizing a packaged executable labeled “PsExec.” PsExec is incorporated into a Microsoft Windows admin suite that permits admins to remotely execute content on a computer connected to a local network.
Furthermore, PetyaWrap contains an element that reads memory and tries to locate stored passwords and usernames. PetyaWrap achieves this by employing a Windows toolkit program called LSADUMP.
How Do You Protect From PetyaWrap Ransomware?
Deploying the latest patch for your Windows computers protects from the ransomware portion of the malware. This doesn’t protect from the worm-like propagation method employed to disseminate across the local area network. Refer to Microsoft Bulletin MS17-010.
What makes PetyaWrap lethal is that it only requires one infected machine to severely impact a network.
Restrict public access to ports 139 and 445 TCP. This malware requires admin privileges to accomplish this part. Hence, any potential victims who don’t possess elevated privileges may still be infected but would be incapable of spreading the wicked malware.
The majority of local networks include Internet components that distribute files to clients and vendors. If you possess any folders that may be accessed through the web, the malware will try to disseminate to these locations.
The malware also thrives by stealing passwords. Hence, any easily cracked passwords are vulnerable. Poor passwords typically consist of less than eight characters, all lowercase and lacking unique characters or capital letters. You can make use of LSADUMP and pinpoint poor passwords on your system.
The email address for the threat actor has been excluded. Thus even if you choose to pay the ransom, it is improbable that the decryption key will be emailed back to you.
The price for the ransom is $300 in bitcoins. Therefore, it is superfluous to send money to the threat actor since it is unlikely that you will receive the decryption key.
It may be obvious, but always make sure that your antivirus program receives the latest definitions to protect from the most recent malware.
Always be vigilant and on the lookout.