Security

Petya ransomware: Where it comes from and how to protect yourself

The attack highlights the growing danger of compromised third-party software being used to spread malware throughout firms.

The Petya ransomware attack that crippled computers in 64 countries worldwide was spread by accounting software, according to Microsoft, highlighting the dangers posed by compromised third-party apps.

The outbreak started in Ukraine, where more than 12,500 machines were infected, and there is now evidence this new Petya malware variant was initially spread via an updater for the tax accounting software MEDoc.

"We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern," wrote Microsoft's Windows Defender Research team, adding the command was executed at 10.30am GMT yesterday.

The Ukranian firm that makes MEDoc initially confirmed their server had "made a virus attack", then later denied their software had been compromised in a Facebook post.

SEE: How the GoldenEye/Petya ransomware attack reveals the sorry state of cybersecurity

Microsoft says the attack underlines the growing dangers of hackers exploiting third-party software to infect large numbers of organizations.

"As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers which requires advanced defense."

Another software supply chain attack earlier this year compromised an updater for a third-party editing tool used across multiple firms, Microsoft said, describing this approach as "a silent yet effective attack vector".

A large number of organizations were infected, many in Ukraine, including Danish transport company Maersk, Russian oil firm Rosneft, the Kiev metro system, National Bank of Ukraine, the law firm DLA Piper, US pharmaceutical company Merck and many others.

How to protect yourself

Once the ransomware infects a machine, it then attempts to spread itself to other PCs on the network. To propagate itself, it will try to steal credentials to gain local admin privileges, attempt to use file-shares to transfer the malicious file between PCs, and then remotely execute the file. The ransomware encrypts entire hard drives and demands a Bitcoin payment of $300 to release them.

The malware can also spread itself using the EternalBlue exploit for an SMB vulnerability, which was used by WannaCry to spread between machines. The vulnerability was patched by Microsoft in March this year.

Microsoft recommends applying this security update, but for those who aren't able to, it suggests firms "disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547" and "consider adding a rule on your router or firewall to block incoming SMB traffic on port 445".

Another workaround for blocking infection by Petya is to create an extensionless, read-only file called perfc in the C:\Windows folder, using the steps outlined here.

Microsoft also provides a detailed a breakdown of commands and network activity that indicate a Petya infection.

petya-ransom-note.png
Image: Microsoft

Read more on ransomware

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox