Defence against the wrath of Ransomware

By: Govind Rammurthy, CEO of eScan

The recent attack by Petya ransomware is another warning to organizations about the possible catastrophe of vulnerabilities in their networks or IT infrastructure. Petya Ransomware is spreading fast with Ukraine being the worst hit country in last 24 hours. It uses the same exploit, which WannaCry had used to propagate itself and has created havoc in the recent past. The exploit has been provided with a patch by Microsoft way back in March 2017, but many organizations missed updating their OS and network.

Eternal Blue was the exploit which was used by WannaCry and it uses the SMB protocol vulnerability to propagate throughout the network. However, Petya Ransomware not just encrypts the files but after encrypting them, tries to encrypt the MBR too, effectively rendering the infected systems un-bootable.

According to our findings, Petya was pushed through an update for MeDoc financial software used mostly by organizations in Ukraine and phishing emails were the major source for starting of infection.

In India, "The (shipping) ministry has confirmed that one terminal at JNPT has been affected due to the attack at Maersk's Hague office," an official said, adding that the government will share a report / statement shortly.

Due to this attack, the operations at JNPT's GTI (Gateway Terminals India) have come to a standstill. However, this seems to be an isolated incident within India and the impact on India by Petya Ransomware seems to be very limited. Last month's WannaCry's attack had forced numerous organizations to implement the patches released by Microsoft to update their OS. However, there might exist some organizations that are still lagging behind.

Until now the Bitcoin address which is being used by Petya Ransomware has received 42 transactions worth 3.75228155 BTC equivalents to 9490.80 USD in less than 24 hours. However, the email-id which is being used to communicate with the criminals has been suspended by the service provider, hence rendering all the efforts of getting the decryption key futile. Due to this, victims should detest from making any payments to the criminals.

To stay safe from such attacks, all the organizations and users need to ensure that, the patches released by Microsoft have been updated or patched such as below:

NSA hacking Tool
Patch Information
Download Link
CVE-2017-0146 & CVE-2017-0147