A new and much more powerful version the Petya ransomware virus is disrupting businesses and locking up computer files around the world, according to cybersecurity researchers.
The global ransomware attack—reminiscent of the WannaCry ransomware campaign that spread to more than 150 countries in May—was first spotted in Ukraine, where more than 12,500 computers were affected, according to Microsoft. Since then the new Petya variant has spread to at least 64 more countries, including the United States, Russia, Germany, Belgium, Brazil and Spain.
The virus, which encrypts users' computer files and then demands a $300 ransom in exchange for the decryption key, disrupted government operations in Kiev and disabled computers at dozens of companies in Russia and Ukraine, including advertising firm WPP Plc. and Russian government-owned oil company Rosneft PJSC. It also wreaked havoc with monitoring equipment at the Chernobyl nuclear site.
How it works
The ransomware uses known exploits to target Microsoft Windows-based computers. Costin Raiu, director of global research efforts at security software firm Kaspersky, said in a Tweet that the new Petya variant disguises itself as a file that Microsoft has already approved as safe.
After the initial infection occurs, Petya takes a page out of WannaCry's book by using a known exploit called EternalBlue to steal administrator credentials and spread itself across networks. The EternalBlue exploit is believed to have been created initially by the U.S. National Security Agency. Microsoft has since issued a patch for the EternalBlue exploit.
How to protect your computers from ransomware
The best protection against ransomware is a data protection solution that backs up your files to the cloud, or to another offsite location, while creating a version history of those files.
When clean copies of your files are stored safely in the cloud, you never need to give in to the demands of cybercriminals. So the first step toward protecting your files from ransomware is to invest in a backup system before the ransomware attack occurs.
But there are several other steps you should also take to avoid becoming infected with ransomware in the first place. They include:
- Keep your systems updated with the latest security patches.
- Use firewall and antivirus software.
- Block executables from running in Microsoft Office.
- Avoid suspicious emails and email attachments.
- Never click on a link in an email from an unknown sender.
- Educate yourself and employees on how to avoid phishing emails.
What to do if you're attacked
Victims who back up their files can recover from a ransomware attack relatively quickly. Here's a step-by-step guide on what to do if all else fails and your Windows-based computer becomes infected with Petya or some other form of ransomware:
- Remove the computer from the network it’s running on so the infection doesn’t spread to other computers. If the computer isn’t running on a network, skip this step.
- Shut down the computer by holding down on the power button.
- Turn the computer back on and select Safe Mode with Networking.
- Reconnect to the internet, then download and run a malware detection and removal tool such as Malwarebytes or Norton Power Eraser.
- Once the virus is removed, delete all encrypted files and restore clean versions from the Carbonite backup service.
If your computer is backed up with Carbonite, do not pay the ransom. Carbonite can help you restore clean versions of your files after they’ve been infected with ransomware. Our ransomware recovery team is available from 8:30 am to 7 pm EST Monday through Saturday.