Not soon after servers have started recovering from WannaCry ransomware, there is this new Petya ransomware which spreads rapidly to Windows servers via the networks.

Once infected, the Petya ransomware locks up your entire server files and encrypts them in such a way that you can no longer use them. The attackers then demand $300 Bitcoins as ransom to decrypt your data.

The infected server would start showing the message:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Today we’ll see how Petya ransomware can affect your servers and how you can protect them from an attack.

See how we help web hosting companies

How Petya ransomware affects your Windows 2003 and 2008 servers

This ransomware spreads from one server to others in its network, by using a vulnerability in Windows Server Message Block (SMB) implementation of Windows systems, called ETERNALBLUE.

The Server Message Block (SMB) Protocol is a network file sharing protocol. Due to the security vulnerabilities in Microsoft’s implementation of SMB protocol, it has become a primary attack vector for intrusion attempts.

Though Microsoft Windows has released the patch for the SMB vulnerability, there are still many servers out in the network, that have not been secured, and are prone to attacks.

In Petya cyber attack, the malware infects the entire network and known server names. The open TCP ports 445 and 139 in not-properly-secured servers are attacked and malware is injected to the server.

Petya ransomware replaces the computer’s MBR with its own malicious code. It then encrypts the server data, reboots the server and displays the ransom note.

Once the hard drive’s master file table (MFT) is encrypted, it hijacks the master boot record (MBR). The malware restricts user access to the full system by encrypting information about file names, sizes, and location on the physical disk.

While users are threatened against switching off their PC during the reboot process, paying ransom and expecting the files to be returned to you, is the last thing you should be doing.

How to protect your Windows 2003 and Windows 2008 servers from Petya ransomware

If your servers are running Microsoft Windows Server 2003 or Windows Server 2008 OS, and other vulnerable or outdated versions, then you are at risk.

To protect your servers, it is important to perform these security measures:

1. Microsoft has released the security patches against SMB vulerability for all prominent OS versions, and the relevant security patch should be applied to your Windows 2003 and 2008 servers, at the earliest.
2. It is crucial to backup all the critical server data and store them in a safer external storage. If you are already attacked, you need to reinstall the server and restore your server data from this confidential backup.
3. Mail servers should be secured and all outgoing and incoming emails should be scanned for malicious attachments or viruses.
4. Configure the updated anti-virus programs that are smart enough to track these malware.
5. Scan the server for all ransomware hashes in files and remove the ones that are affected.
6. Secure the server files and network to protect it from hackers and regularly audit the servers and network for any vulnerabilities.
7. All software downloads should be monitored and controlled to prevent users from installing malicious scripts in the server.
8. Use strong spam-filtering techniques to prevent inbound spamming and methods to avoid email spoofing.
9. Disable the outdated SMBv1 protocol and block incoming traffic in SMB port 445. Secure the vulnerable and unused ports that are open in the server.
10. If the server is already infected, you need to temporarily disable SMB or block SMB ports and retrieve the infected files, or even do a fresh install and restore the files from backups.

Since some security patches are not available ready-made, and permanently disabling SMB can lead to functionality issues, the best strategy for your server should be chosen only with an expert help.

Though Microsoft had released security patches earlier, many server owners missed out in applying it on their Windows 2003 and Windows 2008 servers, causing them to be vulnerable to the attack.

[ You don’t have to lose your sleep to keep your servers secure. Our Hosting Support Specialists are online 24/7/365 to save your servers. ]

How can we help secure your Windows 2003 and Windows 2008 servers

At Bobcares, our security experts help secure servers for web hosts by updating them with the latest security patches and hardening the network and services.

With our regular top-down security audits and multi-layered security defenses, we enable our customers’ servers to stay impenetrable against any new threats or vulnerabilities.

Some of the security measures that our 24/7 server specialists perform in our customers’ Windows 2003 and Windows 2008 servers to protect them from attacks, include:

1. Maintaining the Windows server software and applications updated with the latest security patches.
2. Disabling email spoofing with the help of RDNS (Reverse DNS), Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) tools for domains.
3. Monitoring the server logs and processes 24/7 for any suspicious activity and taking prompt corrective actions.
4. Restricting user privileges and application permissions to block unwanted binaries from messing up the server.
5. Deploying web and email filters to scan and block suspicious domains and email attachments from reaching the server.
6. Configuring the latest anti-virus and other malware scanning tools that can identify and block malicious scripts.
7. Setting up a fool-proof backup policy for critical server data and regularly validate the data integrity.
8. Enabling data encryption for all critical services and securing web browsers with appropriate content controls.
9. Securing the server using firewalls, disabling unwanted ports and protocols and segregating network into security zones.
10. Conducting periodic security audits and Vulnerability Assessment and Penetration Testing (VAPT) to detect any exploits.

Much like how a fort is secured by a moat, canons, archers and steep walls, effective server security can be ensured only with multiple layers of defenses.

[ You don’t have to lose your sleep over your server security. Our server specialists secure your servers in no time. ]

At Bobcares, our 24/7 server specialists constantly monitor all the services in the server and proactively audit the server for any errors or corruption in them.

With our systematic debugging approach for service or other software errors, we have been able to provide an exciting support experience to the customers.

If you would like to know how to avoid downtime for your customers due to errors or other service failures, we would be happy to talk to you.