Yesterday, organizations around the world were hit by yet another ransomware attack. Similar to the recent WannaCry attacks, the Petya attack works to encrypt documents and files and subsequently demands a ransom to unlock them. Unlike WannaCry, it is believed that the Petya attack spreads internally through an organization (rather than across the Internet) using a vulnerability called “EternalBlue” in Microsoft Windows. It is not yet clear who is behind this attack. You will know if you are a victim of this attack if your machine reboots and you see the message pictured here, which indicates that the ransomware is encrypting your data. Immediately after seeing this, turn off your machine, disconnect it from the internet, use forensic tools to recover any files not yet encrypted, and once done, reformat your hard drive and re-install the operating system, apps, and then your data from your latest backup. If encryption completes before you are able to power down, do not pay the ransom. It has been reported that the email address notifying the attacker of payment has been shut down, so there is no possible way to get the decryption key for the data after paying the ransom.
PT Security recently published a tweet showing the local “kill switch” for Petya. From an organizational standpoint, ensure that all Microsoft patches are installed, consider installing protection programs to combat against potential attack, and complete routine backups of data.