Petya Ransomware and Your IT Security Hygiene

As already widely reported, on Tuesday 27 June 2017, Government and Private sector servers in Ukraine suffered a large-scale cyber-attack.

The attack began at about 11:30 am and the damaging virus spread very quickly, targeting key Ukrainian institutions, including banks. The attack was manifested in a failure of Windows platform, with computers becoming overloaded and data being encrypted.

The following 2 days were extremely hectic for the Intecracy Group team in Ukraine. We Hundreds of calls were received from clients, all with the same message: “Please, help us”. Intecracy Group offices were inundated with a huge amount of work with little time. For some corporate clients, every additional second of delay potentially cost tens or hundreds of thousands in losses, not to mention a serious loss of reputation.

Continuity of clients’ businesses is very important, and during those days all resources, local and remote, were utilised by Intecracy Group to get the clients back in action.

The current outbreak named “Petya” matched the technique of earlier attacks focused on Ukraine.

Petya’s speed and degree distribution was similar to the effects of the virus WannaCry, which in May 2017 blocked hundreds of thousands of computers in over 150 countries.

Once it reaches computers via phishing emails with an attached Office document on unpatched computers, Petya encrypts information on the hard drive and demands a ransom in Bitcoin currency, for the opportunity to resume work. Once it enters a network it can infect all other computers even those which are patched.

Cisco Talos reported the initial point of Petya’s entry to government systems in Ukraine was through a malicious software update for a tax accounting package called MeDoc. The virus went on to infect systems worldwide including Danish shipping firm Maersk, AmericanPharmaceuticall giant Merck.

Our Advice to all Intecracy Clients

Your IT security is a question of IT hygiene. Prevention is better than cure.

Our tips for all Internet users:

1. Keep your computer clean. Regularly update your operation system with new patches;

2. Create and securely store back-ups of your data;

3. Do not open file attachments to suspicious messages.

For example, if:

  • letters are from addresses which seem unusual or the source is doubtful;
  • the author for unknown reasons changes the language of communication;
  • the subject of the letter is non-typical for the author;
  • the way the author addresses the addressee is atypical or incorrect;
  • a non-standard text prompts you to click on suspicious links or to open suspicious files-archives, or executable files.

4. Your System and Security Administrators should pay attention to the filtering of incoming/outgoing information flows, including postal and web traffic.

5. Install the official patch MS17-010.

6. Block TCP ports 135, 445, 1024-1035 on systems and servers.

7. If your PC does become infected, do not restart the system.

8. Limit the ability to execute executable files (*.exe) on the computers of users from directories TEMP, APPDATA.

9. Set up postal service security.

10. To retrieve encrypted files, use ShadowExplorer or PhotoRec.

Partners provide new generation ICT-services, such as the development of custom software solutions, ICT-outsourcing services, as well as consulting for the information technology sphere.