New Petya Variant Ransomware Spreading Globally

Feb 9, 2020

New Petya Variant Ransomware Spreading Globally

Feb 9, 2020

We’re getting reports of a new ransomware variant of the Petya ransomware spreading very quickly worldwide in the UK, Ukraine, and Denmark. Samples are showing that the malware is using a recently leaked NSA exploit called EternalBlue which was patched in March. Petya is known to encrypt the boot record of the infected computer rendering it unusable.

US CERT is encouraging to report any ransomware incidents to the Internet Crime Complaint Center (IC3). https://www.ic3.gov

Read more in:

http://www.bbc.com: Global ransomware attack causes chaos
http://www.telegraph.co.uk: Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down
https://www.bloomberg.com: New Cyberattack Spreads Across Europe, Hits Rosneft, Maersk

Steps We Have Taken for all our Managed Clients

We are making sure that all systems are properly patched with the latest from Microsoft. Typically we will update several test computers at each company the first week an update is released and the remainder the following week. But due to the nature of this outbreak, we are ensuring that all systems are up to the May patch levels (even though this was fixed in March).
We have also taken steps to disable the services that are vulnerable. In this case, they are not needed for most computing.
Our Webroot Antivirus system has the proper updates in place to prevent an infection.
Backups are being monitored as normally to ensure that if anything does through other defenses, that we can quickly recover from a ransom situation for data being backed up.

We’re here to help you. We’re taking all the necessary steps to protect our clients. No process is 100% so there are always some good practices you should take, it’s worth repeating.

Be wary of attachments and links sent to you from people you don’t know or even do know.
Any attachment that asks you to click on a link or enable macros to unlock, don’t do it
When in doubt, ask us.

Steps You Can Take

Make sure your personal computers are up to date, search for Windows Update on your computer at home (Mac’s are not affected by this, but you should make sure they are up to date too.
Make sure you back up your personal files to a place that does some sort or versioning so that if you’re infected and the infected files are backed up they don’t overwrite your backup. Most good cloud backup providers will do this.
Don’t open up emails from people you don’t know, especially if they have links or attachments. If you do open an attachment and it asks you to enable Macros or click on a link to “unlock” the file, DON’T DO IT. if you’re not sure, ask us and we can assess.
Did I mention to check your backups, maybe do it twice, once to a local drive and once offsite at least once a day.
If you do think you were infected (i.e. suddenly your filenames start changing and you can’t open them) pull the plug on your computer to minimize the data loss.