Prevent Petya Ransomware From Infecting Your Computer
Ransomware attacks have become so common and the number of machines infected by this ransomware is increasing day by day. Ransomware can encrypt all your data in your hard drive and then only decrypt when you pay the ransomware. After WannaCrypt, a new ransomware called Petya has been spreading around the work.
In this article we will look into the details of Petya ransomware, how it works and how we can prevent it from infecting our computers.
- 1 What is Petya Ransomware?
- 2 How does Petya Ransomware Spread?
- 3 How does Petya Ransomware work?
- 4 Protecting against Petya
- 5 Few Other Protection Ways
What is Petya Ransomware?
Petya or NotPetya is the latest of ransomware spreading world wide. It is encrypting systems and then demanding a payment of $300 ransom in Bitcoins to get control back over your system. Petya Ransomware was first discovered in 2016 but now it comes with advanced and powerful strategies. Please note that the email address used by the attackers has already been deactivated so there is no use of paying the ransom as you will not get a decryption key if you get infected. The only way around would be to retrieve your files from backup.
How does Petya Ransomware Spread?
The Petya Ransomware spreads differently than WannaCry. Although Petya is spread through the Internet using email etc., Petya does not need the Internet to spread over another system, it spreads inside Local Area Networks and infects the connected systems of that network, so its spreading power is less than of WannaCry so far.
How does Petya Ransomware work?
Petya Ransomware is not executable directly, it comes as a DLL file so need to be executed with some other process, and while processing the Petya Ransomware attacks on your system and start decrypting your files.
SMB 1 (Server Message Block) is involved in this because SMB 1 is used in the network, this may spread ransomware during file sharing or any transfer between systems which are connected to the same network. So turned it off from your system by going to Windows Features.
It has infection mechanism built in to start infecting other systems which are connected to your network. It steals administrative credential so it easily infects other systems which are connected to the same network, it uses Microsoft PS Exec tool, this tool is used to troubleshoot systems or devices remotely. It infects the Master Boot Record of the system. If DLL file is executed, the progress bar shows you how fast your file or data is encrypting. During execution of DLL file, if you shut down your system, might be possible that your files get to save as the process will stop and encryption of files will also get stopped.
On the other hand, if the DLL file completely executes then your system reboots and you get a message on the screen that you can no longer access to your files and data as it is encrypted. And you can not access or decrypt them unless you buy a key from the Petya ransomware generators because they ask you to pay a heavy amount to get the key. And there is not a confirmation whether that key will decrypt your data. Chances are there that you can lose your data completely.
The one thing you can do during execution of DLL file is shut down your system immediately, as it infected the system in the very first hour of connectivity. It won’t effect as much after saturation on the network and if all systems shut down.
Protecting against Petya
Installing an antivirus solution which detects Petya ransomware
Use a good and strong Antivirus software. In most cases, AV tools help to block this kind of ransomware attacks. Some people think that AV tools won’t help you out in this situation but do not listen to those people because it has been observed and seen that running Antivirus tool on time of ransomware attacks, blocks the ransomware on very first or early stage.
Disable or block PSExec on Windows
PSexec is a little command line utility which is used to access access local area network computer shares using command line. Since Petya makes use of this utility to spread across the networks, you should block PSExec from running on users machines so chances of transfer of Petya Ransomware will reduce.
To disable or block PSExec to run on your computer, simple disable two ports in your firewall:
TCP port 445
UDP port 137
Or you can simple open command prompt in administrative mode and run the following commands:
netsh advfirewall firewall add rule name=”Block PSEXEC TCP-445″ dir=in action=block protocol=TCP localport=445 remoteip=Any
netsh advfirewall firewall add rule name=”Block PSEXEC UDP-137″ dir=in action=block protocol=UDP localport=137 remoteip=Any
The same Firewall rules can be used to prevent ransomware spread across the Windows Network. Use Group Policy Management in Windows Active Directory to enforce these rules on the network computers.
Installing Windows Updates
Installing new updates of Windows may also help you in protection from Petya attacks. As new updates contain some security fixes an improvement which helps your system to fight against new attacks and ransomware to provide you security and protection.
So regularly checks for new updates from Windows Settings, and install the updates if any new update is available for download.
Make sure at least you have MS17-010 update installed on your computer to keep it safe from further attacks.
Few Other Protection Ways
- Do not download the attachments from your emails if it isn’t from any person you know because attachments contain ransomware, which transfers on your machine when you download them.
- Use Symantec Endpoint Protection, a security software tool that provides anti-malware intrusion prevention, and has firewall features for servers and desktops to give you most security and protection from any malware attacks.
- Make a backup of your system at every time so you can easily face this kind of situations. And run the latest backup if you lost access to your files and data.
Stay safe from Petya Ransomware attacks by doing some above steps as no proper solution has yet come. But if administrators of the system can apply above steps or make privacy of their systems strong, then most probably, this attack will not come over their machine. Or shut down your system quickly if DLL file starts executing.