Virtualization Technology News and Information
Are You Prepared for Petya and The New Wave of Ransomware?

pay ransomware 

Image Credit: US Air Force -

Article Written by Jeff Grundy.

In late June, Acronis reported on a new variant of Petya ransomware that was recently released into the wild. The new outbreak started by infecting networks in the Ukraine and quickly spread to dozens of other countries. Since then, Microsoft, Fox News, and others, including the United States Computer Emergency Readiness Team, have reported further developments that suggest we have not seen the last of this particularly virulent strain of ransomware.

New Variant or Completely Different?

When reports of the new ransomware attacks started surfacing, industry experts were unsure if the culprit was a variant of previously released malicious code or if it was an entirely new strain. Because of the text displayed by the ransomware - after successfully encrypting an infected machine - some believed the new outbreak to simply be a rehashed version of Petya or WannaCry.

According to reports from Reuters and other news services, infected machines display the following message: "If you see this text, then your files are no longer accessible because they have been encrypted." The ransomware text goes on to warn users by adding "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."


Image Credit:

A New Dark Star is Born

Since the first reports of the new ransomware, there has been evidence that the latest ransomware release is indeed different enough from previous versions that it deserves its own designation. Hence, many security groups and industry watchdogs have dubbed the new ransomware "NotPetya." Even so, some experts still argue that the new ransomware is a variant of Petya.

The primary difference between NotPetya and variants of Petya ransomware is worth noting. Petya variants were never designed to encrypt or lock down entire systems - just specific files on the PCs. NotPetya, on the other hand, encrypts entire hard drives and forces users to enter a decryption key before allowing any access at all. Once NotPetya and similar variants encrypt a system, warning messages demand $300 in Bitcoin currency in return for a decryption key.

Older, Unpatched Systems Most Vulnerable

The new strains of ransomware, such as NotPetya, use the same type of exploit that enabled WannaCry to infect and lock down thousands of computers worldwide back in May of this year. All of these ransomware variants use the backdoor exploit developed by the National Security Agency (NSA) known as "EternalBlue."

Hackers stole the EternalBlue from the NSA earlier in the year. Once the code theft was discovered, the NSA notified Microsoft of the method of attack. Microsoft then released a security fix for the vulnerability in March 2017.


Image Credit:

The Microsoft patch is reported to work effectively in blocking WannaCry, Petya, NotPetya, and other similar ransomware variants. Nevertheless, tens of thousands of computers around the world have not had the patch applied and still remain vulnerable, according to the International Business Times, ThreatPost, and other sources.

Because the NSA exploit targets systems without the patch, users of older Windows versions, such as XP, Windows 7, and Windows 8, as well as those with unpatched versions of Windows 10 are the most vulnerable to NotPetya and other ransomware strains that utilize the EternalBlue vulnerability.

Attacks Increasing in Frequency

The NotPetya (or Petya variant depending on who you ask) attacks came just six weeks after WannaCry started wreaking havoc on more than 250,000 systems around the globe. Many security experts point to the fact that so little time passed between major outbreaks as a sign that ransomware attacks are only getting worse - not better.

Back in May, Newsweek reported that ransomware attacks are up more 250 percent for the first few months of 2017 (versus the same time period last year.) And, according to Kaspersky, the United States is the country most affected by the ransomware epidemic. Studies for the last couple of months are not yet fully available. However, all data collected to date seems to indicate that ransomware attacks are increasing at an alarming rate.


Image Credit:

Anti-Virus Solutions Arrive Too Late

By now, most anti-virus (AV) applications have applied updates that allow them to detect and neutralize WannaCry, Petya, NotPetya, and other similar ransomware variants. However, the virus definition and signature updates for the AV programs were not made available to users until well after the ransomware went live and started infecting and encrypting systems all over.

Because dependable virus patterns and signatures were virtually nonexistent when WannaCry, Petya, and NotPeya were released, most AV scanners had no chance of detecting the ransomware - even if the virus definitions or signatures were fully up to date. As a result, thousands upon thousands of systems were infected with the ransomware within hours of its release into the wild.

While keeping your anti-virus program up to date is certainly important (and the best way of preventing attacks by known strains,) it is also important to understand that many ransomware variants are zero-day exploits. Put simply, zero-day exploits generally cannot be detected by AV scanners because they are unknown to security developers and others who create and distribute virus signatures or pattern definitions needed to discover and eradicate ransomware threats.

Protecting Against Ransomware - Update, Update, Update!

All of the ransomware strains/variants mentioned in this post use the EternalBlue exploit -- created by the NSA -- to infect computers. As mentioned above, Microsoft released a security fix for the exploit in March, and the patch has been shown to prevent these types of ransomware attacks effectively. This means that the computers infected with NotPetya and other similar variants were compromised for one simple reason - Windows updates were not installed at the time of the attacks.

With zero-day exploits, there is little that signature based anti-virus/malware applications can do to help. And, Microsoft updates are usually released as reactive (not proactive) fixes to threats. Nevertheless, ensuring that you download and install Windows and AV updates in a timely manner can help prevent ransomware attacks in many cases.


Image Credit:

Ransomware outbreaks can spread quickly. Still, Microsoft and AV developers usually respond quickly as well and provide updates or patches within a few days. While waiting for updates may not be the ideal solution, it is still relatively effective - as long as patches and signatures are downloaded and installed quickly.

Acronis Protection -More Than Just a Backup

By far, the best way to protect your data against Petya, NotPetya, or any other type of ransomware is to ensure that you have current, thorough backups of your files. When you have an effective backup strategy in place, ransomware and other threats become much less worrisome, as safe, secure copies of your important data are always available.

With effective backup solutions, such as Acronis True Image or Acronis Backup 12.5, creating secure backups is both quick and easy. However, with Acronis products, you get much more than just backup applications; you also get solutions that actively fight to defend your data against ransomware.


Image Credit:

Acronis Active Protection

Our revolutionary Acronis Active Protection technology continuously monitors your system using artificial intelligence and sophisticated analysis. If Active Protection detects errant or suspicious behavior or processes, it halts the activity immediately and blacklists the application or process behind it to ensure it cannot start again after you reboot the system.

If ransomware does manage to find its way on to your system (albeit unlikely,) Acronis Active Protection will detect any encryption activity quickly and stop it. After halting the encryption processes, Active Protection will restore any affected files to their most recent backed up versions. How effective is Acronis Active Protection? Well, in a test by NioGuard Security Lab, Acronis Active Protection outperformed 22 well-known anti-virus applications when it came to detecting and neutralizing ransomware.

Don't Wait to Protect Your Data

When ransomware worms its way onto your hard drive and finishes encrypting boot tables or files, it is already too late - as many thousands of users have already discovered. Therefore, if you're not already creating regular backups of all the data on your systems, you need to start doing so immediately. Ransomware is not going away anytime soon, and all the evidence points to it only becoming more commonplace and dangerous from here on out.


Published Monday, July 17, 2017 8:14 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2017>