Sharda
Tickoo, Technical Head, Trend Micro India said, “In India, so far we have no cases of Petya that have
been reported to us. The countries most affected are Europe, typically Ukraine
and Russia. We would recommend the companies to maintain an important hygiene
of updating systems with the latest patches, or consider
using virtual patching in their absence.
Take regular back-up of
necessary data and proactively monitor the systems for any suspicious activity.
And most importantly, because it is a ransomware, we have to secure the email
gateway first. There are also certain URL categorizations that should be
employed in work environment which can block access to malicious websites.
Ensure that all the workstations have least privilege unless any workstation actually
requires administrator privilege, as the ransomware spreads and tries to
escalate the privileges. As it uses certain administrative tools like power
shell, ensure that these utilities are restricted to administrators.”
Pointing out the similarities
and differences between other ransomware, she further added, “There
are a lot of similarities that are being drawn between Petya and WannaCry.
WannaCry was a very basic form of ransomware attack and it used worm like
techniques. Petya seems to be a thorough ransomware which uses different
modalities. It is using EternalBlue vulnerability. It leverages multiple
infection vectors not just one.
The Petya ransomware modifies the Master Boot
Record (MBR) and encrypts the system files. Once the MBR is modified by this
ransomware, the system displays the ransom note instead of a black or blue
screen. While the normal ransomware does not touch the MBR, but encrypts files
and asks for ransom. The Petya ransomware is a combination of a wiper and a
ransomware, because it wipes the MBR.”
No comments:
Post a Comment