Following the WannaCry attack in May, there's new malware spreading across the world: Petya. Ransomware stops you from accessing any files on the ‘infected’ computer until you pay the ransom. Here we explain what you need to do to protect your precious data.
Although it displays a similar message to other ransomware (and indeed Petya last year) and tells users to send $300 to a Bitcoin account, the code has been found to have no decryption capabilities. This means that any computer infected is virtually guaranteed to be rendered completely unusuable.
It also gives a strong reason for victims not to pay the ransom: even if you do, you won't get your data back.
As with WannaCry, it's businesses that are suffering the most from this latest attack, seemingly having failed to install the necessary patch to fix the vulnerability - the same one Petya.2017 is using now.
However, rather than being a money-making scheme, this latest attack appears to have been designed to 'lure the media'. The vast majority of affected computers are in Ukraine, but businesses including FedEx and computers in many other countries have also fallen victim.
Matt Suiche, founder of Comae, said in a blog post, "The fact of pretending to be a ransomware while being in fact a nation state attack?—?especially since WannaCry proved that widely spread ransomware aren’t financially profitable?—?is in our opinion a very subtle way from the attacker to control the narrative of the attack."
What is ransomware?
It's a malicious program that's like a computer virus. It's designed to scan your hard drives and encrypt as many files as it can so you can't access them. The files are still there and you have to pay a sum - the ransom - in order to get your files back. This is usually done via Bitcoin, as it's anonymous. Related article: Best antivirus 2017
Sometimes, manual human intervention is required of the hackers to decrypt your files once you've paid. But since you're dealing with criminals, there's no reason to think they will do what they promise. So most experts recommend you don't pay.
New wave of malware
As we explain below, WannaCry was stopped but the group responsible for leaking the vulnerabilities - Shadow Brokers - had already said it would leak more in June. A Reuters report outlines the blog post from the group which says it is "setting up a monthly data dump" that it will sell to anyone willing to pay.
It says that the exploits will enable criminals to code malware that will break into web browsers, phones, routers and Windows 10 systems. However, you can use our tips below to help keep your computers and files safe.
How does NotPetya work?
Like a lot of malware, it can arrive as an email attachment. This method relies on computer users opening the attachment, or clicking on a link in an email, which causes the program to run.
People often open these attachments or click links out of curiosity, because the sender is someone in their address book. So the best advice is not to open anything you don't completely trust.
In this case, the attack targets system administrators of corporate networks, as it needs to get access to those high-level credentials in order to take control of as many other computers on the network as possible.
This means than even if all machines have been patched with the Microsoft update from March, there's still a chance it can succeed. It appears that NotPetya started infecting computers in Ukraine via a hijacked software update for Ukrainian tax software, as well as through phishing emails.
The latest reports say that the malware's resemblance to last year's Petya is only skin deep. However, like Petya, it overwrites the MBR section of the computer's hard disk - the Master Boot Record - which prevents Windows from booting, as well as stopping access to the files.
As of yet, no fixes or tools have been released for victims to get their data back.
Which versions of Windows are affected?
In general, home users should not be affected by NotPetya. It exploits the same 'EternalBlue' vulnerability as WannaCry. Microsoft issued a patch for all versions of Windows which were supported at the time back in March 2017.
Since Windows defaults to installing updates automatically, the patch should already be installed. The security update would have protected Windows Vista, Windows 7 and Windows 8.1 systems which had automatic updates turned on.
If your computer runs Windows 10, it should be protected, too.
The EternalBlue vulnerability relates to computers running the business version of Windows, specifically those using the SMB network file system. This is why we're hearing that companies such as FedEx, Merck and Maersk have been hit by this new wave.
At the time of the WannaCry attack only older versions of Windows which are no longer supported were vulnerable, including Windows XP and Windows 8.
Microsoft issued a security patch for Windows XP and Windows 8 – a very unusual step for unsupported operating systems – which you can download from the links on Microsoft’s blog.
You can check if your computer has the necessary patch installed using this free tool which you can download from our German sister site PCWelt (the tool is in English).
How can I protect my files from WannaCry?
If you have Windows Update enabled on other versions then your computer is already protected against WannaCry, NotPetya and any other attacks which use the same vulnerability. However, this doesn't mean it's 100 percent secure from attack - you should still follow our advice below.
If you’re not sure if your computers are up to date, then open the Control Panel (you’ll find a link in the Start menu) and search for Windows Update. Click through to Windows Update and you’ll be able to check if it’s enabled or not.
There should be a button ‘Check for updates’ which you can click to force Windows to search and install critical updates.
But don't stop there, sit back and consider you're safe. Follow our advice to keep your files safe from ransomware.
The best protection is to have at least one (if not two) copies of any files you can’t afford to lose. Photos, home videos, financial documents and other files that can’t be replaced should be backed up regularly.
Ransomware is often clever enough to scan your home network and infect other computers and even network storage drives (NAS drives) so it’s really important to make a backup on a USB stick or external hard drive that you disconnect and keep safely somewhere.
You can find our pick of the best backup software here.
Don’t open attachments
You, as the computer user, are often the weak link in the chain. Windows and antivirus software – see below – can help to protect you from ransomware attacks, but you can help yourself by being extremely cautious about which email attachments you open and which links you click.
Typically, emails from hackers won’t contain a personal message, or it will be so generic that you can’t be sure it’s really from the person in the ‘sender’ field.
In WannaCry’s case, at least some of the emails pretended to be an important email from a bank about a money transfer.
Either just delete the email, or call the sender and ask them if they sent the email and what is in the attachment, or on the other end of the link. Unless you are absolutely sure the attachment is safe, don’t click on it.
Won’t antivirus software protect me from WannaCry?
Most but not all antivirus software now contains ‘anti-ransomware’ that should help protect your PCs and laptops from WannaCry and other ransomware.
That’s why it’s important not to rely just on Windows’ own security but to add an extra layer of protection.
My PC is infected with ransomware. What should I do?
First, don’t pay the ransom. It only encourages the criminals – getting paid is their end game. And there’s no guarantee you will get your files back even if you do pay.
If you have a backup of your files, you may be able to restore your machine to factory settings using a hidden recovery partition. Or it might be a case of reinstalling Windows. Then you'll have to reinstall your apps and copy over your backed-up files.
“One of the best protection mechanisms are patches, but they might not always work with this new version of Petya.", said Marty P. Kamden, CMO of NordVPN.
"Another way to protect yourself is to disrupt a system before it boots, as the ransomware runs on boot. After the device gets infected with a ransomware, it will wait for about an hour until reboot. Reboot is required for a malware to encrypt the system, so in certain cases, if the device gets terminated in the encryption process, it gets disrupted and information can be saved.”
His advice is also to avoid clicking on any warning messages, instead closing them down using a keyboard command (such as Alt + F4) or right-clicking on the icon on the Taskbar and closing them that way.