Hot off the heels of the recent WannaCry and Adylkuzz incidents, businesses around the world have been once again bought to their knees by a major malware attack, this time called Petya.Within hours of initially infecting Ukranian computers, Petya rapidly propagated itself to Windows PCs around the world.

These incidents are part of a broader trend that has seen both the prevalence and severity of ransomware attacks escalate substantially over recent years. This alarming trend places vital business information and IT systems at risk.The good news is that there are a number of steps your business can take to mitigate the risk of becoming a victim of Petya.

What, exactly, is Petya?
Before going any further, it’s important to have some familiarity around what the Petya attack was, and how it worked.At its simplest, Petya is an example of a ransomware attack where malicious software deliberately encrypts the user’s files. Once the files are encrypted, the attacker demands payment (usually in bitcoin) to decrypt the files.There are two main variations of Petya. The first version, dubbed ‘GoldenEye’, was uncovered by Trend Micro in March 2016 after being spread using emails with a compromised PDF purporting to be from a job applicant.The more recent variation, known as ‘NotPetya’, was initially spread on June 27 through a compromised update for a Ukrainian accounting software package called MeDOC, which is used to manage tax compliance by companies dealing with the Ukrainian government.

In both cases, Petya then deployed a range of techniques to propagate itself across a victim’s network. These included a vulnerability (known as EternalBlue) in Windows' Server Message Block (SMB) protocol for network drives and printers, as well as a command-line tool called PSExec.

The EternalBlue vulnerability, which was also used in the WannaCry attack, was released by a hacker group called Shadow Brokers and is believed to have originally been developed by the US National Security Agency. While this issue has been patched by Microsoft in March as part of the MS17-010 security bulletin, many companies have still not installed this update.

After spreading across a network, Petya scrambles both the master boot record (MBR) and hard disk contents before forcing a reboot that renders the victim’s computer

unusable. A custom MBR is then created displaying a ransom notice to the user, demanding that bitcoins are paid to an email address that has since been deactivated.

As the global spread of Petya demonstrates, however, serious state-sponsored malware attacks are often not contained within the geographic boundaries of a single country

Once this happens, there is no known workaround to retrieve the decryption keys. Making matters worse, during the MBR replacement, there is a bug in the ransomware code that overwrites some critical information needed for the decryption process to work effectively.

The choice of Ukraine software company as an initial attack vector has led some prominent security researchers to suspect the NotPetya attack might have been a State-sponsored attack designed to cause maximum disruption to businesses, rather than an attack by organised crime groups motivated by financial gain.

According to reports, a person claiming to be the bad actor responsible for Petya has recently resurfaced on the darkweb and offered the decryption key for sale.If purchased, a recovery tool could theoretically be built that may be able to recover the data on a file by file basis. However, at around $250,000 for the decryption key, it would be a very big (and expensive) risk to take.

A Disturbing Trend
Ransomware attacks, such as Petya, along with the earlier WannaCry attack, are not a new type of threat. In fact, the first known malware extortion attack was in 1989 – nearly 30 years ago.What has changed is both the frequency and severity of the attacks. Increasingly, lone wolf hackers and cyber criminal gangs are being joined by highly-sophisticated state-sponsored actors looking to cause maximum disruption to the economy of a targeted country.

As the global spread of Petya demonstrates, serious state-sponsored malware attacks are often not contained within the geographic boundaries of a single country.In terms the growing frequency of such ransomware attacks, FirstWave released figures in May showing an alarming 72 percent year-on-year increase in email-based malware attacks blocked by its cloud-based filtering software, with a total of 247,000 malicious emails blocked from reaching customers.This means that companies, and in particular small- to medium-businesses that do not have adequate web, email and NGFW (next-generation firewall) protection, face a growing risk of having their vital business information and IT systems destroyed by ransomware.

Protecting your self from Petya
There are a number of steps that businesses can take to reduce their risk of being infected by Petya, as well as other similar malware attacks. The most important step is to make sure all systems have all the latest security patches installed, including the one in Microsoft’s MS17-010 bulletin. It is also worth blocking the PSExec tool from running on users’ computers using a product such as Sophos Endpoint Protection.

As a more general precaution against ransomware, it is important to make regular backups of your most important files, and to keep a recent copy of your data off-site. This way, even if your computers are compromised, you won’t lose your valuable business data.

Finally, it is vitally important to make sure you never open email attachments from senders you don’t recognise. Because attacks such as Petya can spread across networks, it is also essential to ensure that all of your staff have been trained to not open unexpected files attached to emails.