Are You Prepared for Petya and The New Wave of Ransomware?
Image Credit: US Air Force – http://ift.tt/2u0ORFi
Article Written by Jeff Grundy.
In late June, Acronis reported on a new variant of Petya
ransomware that was recently released into the wild. The new outbreak started
by infecting networks in the Ukraine and quickly spread to dozens of other
countries. Since then, Microsoft, Fox News, and
others, including the United States Computer Emergency
Readiness Team, have reported further developments that suggest we have not seen
the last of this particularly virulent strain of ransomware.
or Completely Different?
When reports of the new ransomware attacks started surfacing,
industry experts were unsure if the culprit was a variant of previously
released malicious code or if it was an entirely new strain. Because of the
text displayed by the ransomware – after successfully encrypting an infected
machine – some believed the new outbreak to simply be a rehashed version of
Petya or WannaCry.
According to reports from Reuters and other
news services, infected machines display the following message: “If you see this text, then your files
are no longer accessible because they
have been encrypted.” The ransomware text goes on to warn users by adding
“Perhaps you are busy looking for a way to recover your files, but don’t
waste your time. Nobody can recover your files without our decryption service.”
Image Credit: http://ift.tt/2u1rYlh
A New Dark Star is Born
Since the first reports of the new
ransomware, there has been evidence that the latest ransomware release is
indeed different enough from previous versions that it deserves its own
designation. Hence, many security groups and industry watchdogs have dubbed the new ransomware “NotPetya.” Even so, some
experts still argue that the new ransomware is a variant of Petya.
The primary difference between
NotPetya and variants of Petya ransomware is worth noting. Petya variants were
never designed to encrypt or lock down entire systems – just specific files on
the PCs. NotPetya, on the other hand, encrypts entire hard drives and forces
users to enter a decryption key before allowing any access at all. Once
NotPetya and similar variants encrypt a system, warning messages demand $300 in
Bitcoin currency in return for a decryption key.
Older, Unpatched Systems Most Vulnerable
The new strains of ransomware, such
as NotPetya, use the same type of exploit that enabled WannaCry to infect and lock down thousands of computers worldwide back
in May of this year. All of these ransomware variants use the backdoor exploit
developed by the National Security Agency (NSA) known as “EternalBlue.”
Hackers stole the EternalBlue from
the NSA earlier in the year. Once the code theft was discovered, the NSA
notified Microsoft of the method of attack. Microsoft then released a security
fix for the vulnerability in March 2017.
Image Credit: http://ift.tt/2qg8h5F
The Microsoft patch is reported to work
effectively in blocking WannaCry, Petya, NotPetya, and other similar ransomware
variants. Nevertheless, tens of thousands of computers around the world have
not had the patch applied and still remain vulnerable, according to the International Business Times, ThreatPost, and other
Because the NSA exploit targets
systems without the patch, users of older Windows versions, such as XP, Windows
7, and Windows 8, as well as those with unpatched versions of Windows 10 are
the most vulnerable to NotPetya and other ransomware strains that utilize the
Increasing in Frequency
The NotPetya (or Petya variant depending on who you ask) attacks
came just six weeks after WannaCry started wreaking havoc on more than 250,000
systems around the globe. Many security experts point to the fact that so
little time passed between major outbreaks as a sign that ransomware attacks are
only getting worse – not better.
Back in May, Newsweek reported
that ransomware attacks are up more 250 percent for the first few months of
2017 (versus the same time period last year.) And, according to Kaspersky, the
United States is the country most affected by the ransomware epidemic. Studies
for the last couple of months are not yet fully available. However, all data
collected to date seems to indicate that ransomware attacks are increasing at
an alarming rate.
Image Credit: http://ift.tt/2u1BqFj
Arrive Too Late
By now, most anti-virus (AV) applications have applied updates
that allow them to detect and neutralize WannaCry, Petya, NotPetya, and other
similar ransomware variants. However, the virus definition and signature
updates for the AV programs were not made available to users until well after
the ransomware went live and started infecting and encrypting systems all over.
Because dependable virus patterns and signatures were virtually
nonexistent when WannaCry, Petya, and
NotPeya were released, most AV scanners had no chance of detecting the
ransomware – even if the virus definitions or signatures were fully up to date.
As a result, thousands upon thousands of systems were infected with the
ransomware within hours of its release into the wild.
While keeping your anti-virus program up to date is certainly
important (and the best way of preventing attacks by known strains,) it is also
important to understand that many ransomware variants are zero-day exploits. Put
simply, zero-day exploits generally cannot be detected by AV scanners because
they are unknown to security developers and others who create and distribute
virus signatures or pattern definitions needed to discover and eradicate
Against Ransomware – Update, Update, Update!
All of the ransomware strains/variants mentioned in this post use
the EternalBlue exploit — created by the NSA — to infect computers. As
mentioned above, Microsoft released a security fix for the exploit in March,
and the patch has been shown to prevent these
types of ransomware attacks effectively. This means that the computers infected
with NotPetya and other similar variants were compromised for one simple reason
– Windows updates were not installed at the time of the attacks.
With zero-day exploits, there is little that signature based
anti-virus/malware applications can do to help. And, Microsoft updates are
usually released as reactive (not proactive) fixes to threats. Nevertheless,
ensuring that you download and install Windows and AV updates in a timely
manner can help prevent ransomware attacks in many cases.
Image Credit: http://ift.tt/2u17Csd
Ransomware outbreaks can spread quickly. Still, Microsoft and AV
developers usually respond quickly as well and provide updates or patches
within a few days. While waiting for updates may not be the ideal solution, it
is still relatively effective – as long as patches and signatures are
downloaded and installed quickly.
Protection -More Than Just a Backup
By far, the best way to protect your data against Petya, NotPetya,
or any other type of ransomware is to ensure
that you have current, thorough backups of your files. When you have an
effective backup strategy in place, ransomware and other threats become much less worrisome, as safe, secure copies of your important data are always available.
With effective backup solutions, such as Acronis
True Image or Acronis
Backup 12.5, creating secure backups is both quick and easy. However, with
Acronis products, you get much more than just backup applications; you also get
solutions that actively fight to defend your data against ransomware.
Image Credit: http://ift.tt/2u1cuxN
Acronis Active Protection
Our revolutionary Acronis Active Protection technology
continuously monitors your system using artificial intelligence and
sophisticated analysis. If Active Protection detects errant or suspicious
behavior or processes, it halts the activity immediately and blacklists the
application or process behind it to ensure it cannot start again after you
reboot the system.
If ransomware does manage to find its way on to your system
(albeit unlikely,) Acronis Active Protection will detect any encryption
activity quickly and stop it. After halting the
encryption processes, Active Protection will restore any affected files
to their most recent backed up versions. How effective is Acronis Active
Protection? Well, in a test by NioGuard Security Lab, Acronis
Active Protection outperformed 22 well-known anti-virus applications when it
came to detecting and neutralizing ransomware.
Don’t Wait to Protect Your Data
When ransomware worms its way onto your hard drive and finishes
encrypting boot tables or files, it is already too late – as many thousands of
users have already discovered. Therefore, if you’re not already creating
regular backups of all the data on your systems, you need to start doing so
immediately. Ransomware is not going away anytime soon, and all the evidence
points to it only becoming more commonplace and dangerous from here on out.
via @VMblog http://ift.tt/GDDZi6
July 17, 2017 at 03:36PM @ Copyright – @VMblog