Last month it was the "WannaCry" virus wreaking havoc over the internet, and now this week another ransomware exploit is rapidly expanding across Europe and the Ukraine especially. The new variant, dubbed "Petya," uses the same SMBv1 exploit that WannaCry uses to rapidly replicate throughout network systems, but holds infected computers hostage in a significantly different way.
According to a post in Hacker News, the Petya ransomware, also known as "Petwrap," is spreading rapidly, "shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding demands $300 in bitcoins," and has affected over 300,000 computers in only 72 hours.
Petya does not encrypt files one by one in its attempt to elicit those Bitcoin payments, but uses an even more nefarious method:
Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Microsoft issued a series of patches for this type of exploit back in April, including taking the unusual step of patching the unsupported Windows XP operating system, so if you're current on updates you should be ok. However the company also recommends removing the unused but vulnerable SMBv1 file sharing protocol from your systems.
It's pretty easy to do, and well worth it for the peace of mind it could bring as yet another ransomware exploit powered by leaked NSA hacking tools runs amuck. Our colleague over at ZDNet, Ed Bott, runs through the procedure for Windows 10 machines:
- Open the Control Panel (search for it from the Start Menu)
- Click Programs and Features, and then on the left hand column
- Click Turn Windows Features on or off
- Scroll down to SMB 1.0/CIFS File Sharing support,
- Uncheck it, and reboot
This works for Windows 10 and Windows 8.1, Ed has further instructions if you're still on Windows 7. As he says, there's simply no reason for you to be running SMBv1, and Microsoft is planning to remove it entirely in the Windows 10 Fall Creators Update.
For now, governments and industries are grappling to fight the ransomware and perhaps looking at their penchant for running older unpatched systems, as the dirty tricks of the NSA continue to come back to haunt us.
Stay safe out there!