Petya 2.0 Ransomware Fix and Malware Removal

Virus, Malware and Ransomware Removal Cardiff

What is Ransomeware? Ransomeware is a particularly nasty type of malicious software designed to block access to a computer system until a money is paid. Any ransomware is a critical threat to home and business computer users.

The Bad News About Petya and all Ransomware

Petya Ransomware Virus Removal IT Support Services Cardiff Porthcawl Bridgend South WalesTo date, there is no fix for these types of ransomware unless you have a valid backup. If you don’t have the backup then there is no way you can recover your data due to the complex encryption system being used. There are no tools that can crack the encryption on the market at present so backups are the only way you can get your data back.

When we are contacted about this (and similar) infections, unless the customer has a backup, the only solution is to secure the systems and install a backup regime so clients are safe from future infections.

Get in touch with us about any of your IT needs, from Malware, Ransomeware and Viris Removal, we are here to help – call 01656 808002 or send a message via the Contact Form.

Bridgend Porthcawl and South Wales IT Support Services

New variants of Petya ransomware (AKA GoldenEye) are behind the huge online outbreak that spread across Russia, Ukraine and Europe this week.

What makes the new threat different is that it now includes the EternalBlue exploit as a way to propagate inside a targeted network. The exploit attacks the Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in last month’s spread of WannaCry.

Petya also attempts to spread internally by breaking admin passwords and infecting other PCs on the network using remote admin tools. It can also spread internally by infecting network shares on other computers. Unfortunately, 38% of malware gets past legacyAV, this is why services like IPS, sandboxing and Threat detection and response are so critical.

It does so by running credential-stealing code to break user account passwords and deploy ransomware. To infect remote computers, it comes bundled with a legitimate remote admin tool called PsExec from Microsoft’s SysInternals suite.

Defensive measures

Here’s what you should do right now:

  • Ensure systems have the latest patches, including the one in Microsoft’s MS17-010 bulletin.
  • Consider blocking the Microsoft PsExec tool from running on users’ computers. A version of this tool is used as part of another technique used by Petya to spread automatically.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
  • Call 01656 808002 or send a message via the Contact Form.

It initially looked like the outbreak was just another cybercriminal taking advantage of cyberweapons leaked online. However, security experts say that the payment mechanism of the attack seems too amateurish to have been carried out by serious criminals. Firstly, the ransom note includes the same Bitcoin payment address for every victim – most ransomware creates a custom address for every victim. Secondly, the malware asks victims to communicate with the attackers via a single email address which has been suspended by the email provider after they discovered what it was being used for. This means that even if someone pays the ransom, they have no way to communicate with the attacker to request the decryption key to unlock their files.
UK energy industry cyber-attack fears are ‘off the scale’  Read more

Who is behind the Petya 2.0 Ransomware attack?

It is not clear, but it seems likely it is someone who wants the malware to masquerade as ransomware, while actually just being destructive, particularly to the Ukrainian government. Security researcher Nicholas Weaver told cybersecurity blog Krebs on Security that ‘Petya’ was a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware”. Pseudonymous security researcher Grugq noted that the real Petya “was a criminal enterprise for making money,” but that the new version “is definitely not designed to make money.

“This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware,’” he added, pointing out that, among other tells, the payment mechanism in the malware was inept to the point of uselessness: a single hardcoded payment address, meaning the money can be traced; the requirement to email proof of payment to a webmail provider, meaning that the email address can be – and was – disabled; and the requirement to send an infected machine’s 60-character, case sensitive “personal identification key” from a computer which can’t even copy-and-paste, all combine to mean that “this payment pipeline was possibly the worst of all options (sort of ‘send a personal cheque to: Petya Payments, PO Box … ’)”.

Ukraine has blamed Russia for previous cyber-attacks, including one on its power grid at the end of 2015 that left part of western Ukraine temporarily without electricity. Russia has denied carrying out cyber-attacks on Ukraine.

What can you do if you are affected by the ransomware?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, as flagged by @HackerFantastic on Twitter.