What is Petya Ransomeware do?
Ransomware, Petya does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Why it spreads fast?
Ans : Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)
So patch both first!
Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
Actions to be taken:
1. Block source E-mail address
2. Block domains:
3. Block IPs:
4. Apply patches:
Refer(in Russian): https://habrahabr.ru/post/331762/
5. Disable SMBv1
6. Update Anti-Virus hashes
As of a Kill-switch can be used for #Petya Ransomware.
i.e. Just create a file "C:\Windows\perfc"
Does this affect you?*
Though this attack is largely targeting companies, it's important you stay vigilant and take following precautionary measures.
- Always make sure your anti-virus is up-to-date to maximize the protection available to you.
- Don't click too quickly. This attack may be spreading through phishing or spam emails, so make sure you check an email's content for legitimacy. Hover over a link and see if it's going to a reliable URL. Or, if you're unsure about an email's content or the source it came from, do a quick search and look for other instances of this campaign, and what those instances could tell you about the email's legitimacy.
- Do a complete back up. Back up all your PCs immediately. If your machine becomes infected with Petya ransomware, your data could become completely inaccessible. Make sure you cover all your bases and have your data stored on an external hard drive or elsewhere.
- Apply system and application updates.Making sure your operating system is up to date will help contain the spread of this malware.