Petya Ransomware Virus: How to Avoid Infection and Protect Your Own Systems

How Petya works As a modification of the WannaCry ransomware virus, which affected more than 200,000 users in May, the Petya ransomware virus, according to Forbes, turned out to be much more powerful than the hacker tool of the previous attack. With the ability to extract passwords from memory or the local file system, Petya easily spreads to other systems and, unlike WannaCry, which was introduced into older versions of Microsoft operating systems, breaks through the protection of Windows 10. However, the Petya scheme is not new: a virus encrypts data, and to decrypt it asks for $ 300 in bitcoin equivalent.

But the decryption doesn't actually happen. It is for this reason that Petya has managed to gain notoriety as pseudovirus ransomware, the purpose of which is to spoil users' systems, interfere with infrastructure, and destroy data.

It's MEDoc's fault The source of the Petya ransomware distribution has been found. It was the compromised accounting program MEDoc, which was updated with a virus. After the launch of such an update, the virus spread to a huge number of computers throughout Ukraine, affecting companies in Europe, Asia, and the United States. During the MEDoc update, a chain of atypical queries is triggered and the virus spreads. The diagram below illustrates what is happening:

In addition to the considered infection option, Petya infiltrates corporate networks by distributing phishing emails containing a malicious link. By going to the specified address, the user's computer is blocked. How to deal with the virus According to security experts, you need to completely update your OS and antivirus software to protect yourself from viruses and do regular backups. To minimize the spread of virus and infection of systems, Microsoft has released updates that are automatically distributed to the free antivirus products-Windows Defender and Microsoft Security Essentials. Alternatively, you can manually download the latest updates by visiting the Malware Protection Center. However, Windows Defender ATP automatically detects ransomware behavior and does not require any updates to be installed. In addition to the aforementioned, performing the following series of actions will minimize potential risks of infection:

• Use the AppLocker function to prevent the execution of the file named perfc.dat and block the PSExec utility from the Sysinternals package from running.
• Disable SMBv1  using  Microsoft Knowledge Base Article 2696547.
• Block ports 137, 138, 139, and 445 on your network equipment or firewall settings that Petya uses to propagate on local networks.
• Do not download suspicious files from emails, and in case of a system malfunction, disconnect your computer from the network immediately.
• Perform timely installation of  OS updates and security patches.
• Configure mail filters to filter out encrypted archives.
• Conduct regular training on information security for company employees.

Don't forget about proactive security measures and Installed antivirus. Compliance with these basic rules will allow you to protect yourself not only from the Petya virus but also from other ransomware.