Are your servers secure against Petya Ransomware attack?
Not soon after servers have started recovering from WannaCry ransomware, there is this new Petya ransomware which spreads rapidly to Windows servers via the networks.
Once infected, the Petya ransomware locks up your entire server files and encrypts them in such a way that you can no longer use them. The attackers then demand $300 Bitcoins as ransom to decrypt your data.
The infected server would start showing the message:
“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Today we’ll see how Petya ransomware can affect your servers and how you can protect them from an attack.
How Petya ransomware affects your Windows 2003 and 2008 servers
This ransomware spreads from one server to others in its network, by using a vulnerability in Windows Server Message Block (SMB) implementation of Windows systems, called ETERNALBLUE.
The Server Message Block (SMB) Protocol is a network file sharing protocol. Due to the security vulnerabilities in Microsoft’s implementation of SMB protocol, it has become a primary attack vector for intrusion attempts.
Though Microsoft Windows has released the patch for the SMB vulnerability, there are still many servers out in the network, that have not been secured, and are prone to attacks.
In Petya cyber attack, the malware infects the entire network and known server names. The open TCP ports 445 and 139 in not-properly-secured servers are attacked and malware is injected to the server.
Petya ransomware replaces the computer’s MBR with its own malicious code. It then encrypts the server data, reboots the server and displays the ransom note.
Once the hard drive’s master file table (MFT) is encrypted, it hijacks the master boot record (MBR). The malware restricts user access to the full system by encrypting information about file names, sizes, and location on the physical disk.
While users are threatened against switching off their PC during the reboot process, paying ransom and expecting the files to be returned to you, is the last thing you should be doing.