On Tuesday, a ransomware attack that has affected at least 2,000 individuals and organisations worldwide (large businesses, electricity suppliers, food factories such as Oreo, Cadbury; and government agencies around the world) appears to be from a strain of malware widely known as Petya. Fortunately, the malware has not gotten to Nigeria yet, but it doesn’t hurt to be protected against such occurence.
The attack began in Ukraine, and spread through a hacked Ukrainian accountancy software developer to companies in Russia, western Europe and the US. According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. The country’s government, some domestic banks and largest power companies all warned today that they were dealing with fallout from Petya infections. However, security researchers have explained that the cyber-attack is deliberately engineered to damage IT systems rather than extort funds.
WHAT IS PETYA?
‘Petya’ is a family of encrypting ransomware that was first discovered in 2016. However, a new variant of Petya is being used for the current global cyber-attack. The malware targets Microsoft Windows-based systems, infecting the computer’s master boot record, overwriting the Windows bootloader, and then triggering a restart. On the next startup, a payload is executed after the encryption of the Master File Table of the NTFS file system, then the computer displays a ransom message demanding a payment of $300 in Bitcoin for a digital key needed to unlock the files.
WHAT DOES PETYA DO TO AN INFECTED COMPUTER?
Once the malware infects a computer, it will wait for an hour or so, and then reboot the system. After the rebooting, the files get encrypted and the user gets a ransom note on their PC asking them to pay up.
*Users are also warned against switching off their PC during the rebooting process, because it could make them lose their files.*
IS THERE A WAY TO RETRIEVE FILES WITHOUT PAYING?
No, there’s no way around it. At least, not yet.
When it comes to decrypting files, currently there is no solution. According to the security researchers at Kaspersky (a security Research firm), “the ransomware uses a standard, solid encryption scheme.” The firm notes that unless the hackers made a mistake, the data can’t be accessed.
Besides, the address for sending the payment and a 60-character, case-sensitive “personal installation key”, which are only presented in text on the ransom screen, requires a confirmation email to be sent to an address hosted by the German email provider ‘Posteo’.
However, Posteo quickly closed the email account, meaning that even if victims paid, they would not be able to decrypt their computers. In a blogpost, Posteo wrote, “We became aware that the ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away.” Posteo also confirmed that it was no longer possible for the attackers to access the email, send mails, or access the account.
Users who have lost their data can’t really recover it unless they have a backup, because there’s no way of getting the decryption key from the hackers, since the email account has been shut down.
Also, researchers have discovered that there is also a Trojan inside of Petya that steals victims’ usernames and passwords.
HOW DO I PROTECT MY FILES?
Your first line of defense is to be sure you have the latest version of Windows: If you have automatic updates turned on, you’re safe. The update should already be installed to your computer.
Also, it was found that it may be possible to stop the encryption process if an infected computer is immediately shut down when the fictitious ‘chkdsk’ screen appears
According to a tweet from HackerFantastic, when the system goes in for a reboot, the user should power off the PC. His tweet reads, “If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine.”
Windows has a download page for all versions. You can check it here
Next, make sure that your antivirus software is up to date. Most antivirus companies already have patches out that block Petya and this new version of it.
Lastly, back up your computer regularly and keep a recent backup copy somewhere accesible and safe. Also, don’t open attachments in emails unless you know who they’re from and you’re expecting them.