For the last week, many heard about the hacker attack worldwide. And also this hacker attack most of all harm brought Ukraine and Russia, and since most of us read users just these countries, we decided to collect all the ways to protect against the Petya virus. Therefore, in this article you will learn how to protect yourself from the Petya virus. We will show you not one way, but a few. You can already choose for yourself the most convenient. Also for those who have already got on the trick of hackers, we will show how to remove the Petya virus.
Method 1. How to protect yourself from the Petya virus by creating a file of the completion of the virus
Immediately after the start of the first large-scale attacks, the specialists of the whole world began to think and look for the problem why it happened and how to deal with it. The first idea was offered specialists from Symantec, as in fact, you can deceive the virus for not yet infected computers.
How this way works you. Easy, the virus after completing the work creates this file itself. If we do it for it, Petya will already think that the computer is infected. The way is really simple and reliable. Since many antivirus programs could not detect it. Although Microsoft claims that even the Windows 10 defender on the last assembly can easily cope with it. Whether it was not, did not check, immediately decided to reinforce it.
Method 2. How to protect yourself from the Petya virus closing the necessary port viruse
To protect, we need only close on a computer specific TCP ports that uses a virus for infection. This method is also suitable without problems on both previous operating systems and on Windows 10. I will show you how to do this on the example of Windows 10, the latest version.
Method for 3. Protect your computer from Petya virus in automatic mode
Almost for the lazy there is a way to protect against the Virus Petit use just a file. Or create it on the computer itself.
- Open a notebook and insert the following code into it:
@echo Offecho Administrative PERMISSIONS REQUIRED. Detecting Permissions ...
Echo.
NET Session\u003e NUL 2\u003e & 1IF% errorlevel% \u003d\u003d 0 (
IF EXIST C: \\ Windows \\ Perfc (
Echo Computer Already Vaccinated for Notpetya / Petya / Petna / Sortapetya.
Echo.
) ELSE (
Echo This is a notpetya / Petya / Petna / Sortapetya Vaccination File. Do Not Remove As It Protects You From Being Encrypted by Petya. \u003e C: \\ Windows \\ Perfc
Echo This is a notpetya / Petya / Petna / Sortapetya Vaccination File. Do Not Remove As It Protects You From Being Encrypted by Petya. \u003e C: \\ Windows \\ Perfc.dll
Echo This is a notpetya / Petya / Petna / Sortapetya Vaccination File. Do Not Remove As It Protects You From Being Encrypted by Petya. \u003e C: \\ Windows \\ perfc.datattrib + r c: \\ windows \\ perfc
ATTRIB + R C: \\ windows \\ perfc.dll
ATTRIB + R C: \\ Windows \\ Perfc.datecho Computer Vaccinated for Current Version of Notpetya / Petya / Petna / Sortapetya.
Echo.
) ELSE (
Echo Failure: You Must Run This Batch File AS Administrator.
)netsh Advfirewall Firewall Add Rule Name \u003d »Petya TCP» Dir \u003d In Action \u003d Block Protocol \u003d TCP Localport \u003d 1024-1035,135,139,445
Netsh Advfirewall Firewall Add Rule Name \u003d »Petya UDP» Dir \u003d In Action \u003d Block Protocol \u003d UDP Localport \u003d 1024-1035,135,139,445
Pause - Save the file and change the file extensions on .bat..
- Press it right mouse button and choose the item Run on the name of the administrator.
After executing the Batnik, you will automatically make Method 1 and method 2, as it is so convenient and faster. Do not forget to open the BAT file on behalf of the administrator, otherwise there will be no changes. In principle, after that, you can check whether the files have created and whether new rules have been created.
How to remove Petya virus
If you have already gotten to the trick of hackers, saw the Death screen and turned off the computer from the fright, then you still have a chance to restore everything yourself.
- You need to make a boot disk or with antivirus, which can cure a computer from the Petya virus. For this, suitable, for example, Kaspersky Rescue Disk. or ESET NOD32 LiveCD..
- Run any of them from the flash drive on the computer and wait until the antivirus will find and remove Petya.
- If the files still managed to encrypt, then you can use the utility files suitable for decrypting, here you can help, for example, Shadow Explorer. or Stellar Phoenix Windows Data Recovery.
Also at the expense to remove the Petya virus, the reinstalling of the operating system has not been canceled.
In this article, we disassembled how it protects against the Petya virus and how to remove the Petya virus, if you have already fell to it. In general, I advise you to be careful with self-unpacking archives with extension.exe. Since in most cases you are a word or a virus or a lot of garbage that you want to remove. Well, as they say it is better to prevent what to correct, so dare. Write in the comments Was you a useful article and do not forget to subscribe to updates.
From June 27, the world is distributed by a new Virus-encrypter Petya, blocking computers with Windows. It penetrates the PC through local networks, so epidemics are exposed almost exclusively to the organization, and not individual users. For unlocking each PETYA device asks $ 300 Bitcoins.
Most of the victims are still in Ukraine (attacking state institutions, energy companies, mobile operators and banks) and in Russia (the main victim - Rosneft). But now Petya complaints come from all over the world. Similarly, events developed in May, when corporate networks were attacked by another encrypter - WANNACRY (Wannacrypt).
"The Secret" asked experts in the field of cyber security to explain how to protect themselves from such an attack.
Kirill Ermakov
Technical Director of the QIWI Group
When companies around the world suffered from Wannacry, it became apparent that many are unfairly referred to such a basic information security process as installation of updates. The attackers used the opportunities to attack unnecessary systems before, but now it finally got a big publicity.
The virus did not use any "secret weapons", "zero day vulnerabilities." He used vulnerabilities, "patchwork" to which exist for quite a long time. Just traditionally the threats of information security are underestimated. The direct task of the information security director is to explain to the colleagues on the C-Level that the games ended and modern kiberatak can just stop the work of their business.
The new virus first seemed like the 2016 Petya virus, but then it turned out that he had a very distant attitude towards the old virus. If at all it has. So now it appears under the #Petya, #NotPety, #PetrWrap and has a win32 / diskcoder.petya.c identifier.
This virus seems to me very curious and even, you can say, like (technically). As in Wannacry, the EternalBlue program has been involved in National Security Agency, which uses one of Windows vulnerabilities in computers. But the spread of a new virus has another vector: hitting one machine, it produces data of accounts with an infected workstation and, using them, trying to penetrate all other computers. That is why it turned out that many who installed a patch against Wannacry were still injured at Petya / NotPety's attack. System administrators in companies often make an error in the design of infrastructure: build it so that the local administrator account approach all machines.
In addition, Petya / Notpetya is interesting because the goals of its creators are not obvious. If they wanted a lot of money, they would have made a virus that was not trying to encrypt everything and does not require a redemption, and quietly sits in a system as a classic Trojan, and then used for a focused attack. But in this case, the attackers earned a penny, but paralyzed the work of many large companies around the world. Maybe this is some kind of manipulation with currency courses, stocks?
Those who want to protect their company from such threats can give only one advice: pay attention to system administrators, security service and their requirements. Basic information security processes may not be lined up for various reasons. But often the main problem is that business does not support the actions of IT and IB departments, because it does not want to spend money and resources for it, without understanding why it is necessary. But it is sometimes easier to suffer inconvenience associated with updating software than to lose everything, underestimating the threat.
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Andrei Bryzgin
Head of Audit and Consulting in Group IB
This attack is clearly not the last. The more the company, the wider its IT infrastructure, the greater the chances that at least one computer will be vulnerable, unpasps or just forgotten. The Petya virus was enough one vulnerable computer to infect the entire network. Information security should be engaged in comprehensively, including using specialized solutions. Security audit should be done regularly.
one). Install the updates of operating systems and patches of security systems.
2). Configure postal filters to screen encrypted archives.
3). If computers run on Windows, subscribe to Microsoft Notifications for Technical Safety.
four). If there are computers without updates in the corporate network, prohibit employees to connect personal laptops to it.
five). Spend training for information security officers.
6). Do not pay redemption to extortioners. Not at all the fact that they will send encryption keys. GROUP-IB has no evidence that the data was restored after payment.
GROUP-IB 06/28/2017 17:18
5318
On June 27 in Ukraine, in Russia and in several other countries of the world, a large-scale cyber attack was recorded using a new modification of the Petya encrypter.
The spread of the virus comes with the help of phishing mailing to e-mail addresses of employees of companies. After opening a malicious attachment, a target computer with encryption of files occurs.
Any embedding - .doc, .docx, .xls, .xlsx, .rtf and other files in Microsoft Office format may contain malicious content. When opening an attachment with the "PETYA" virus, malicious software will be set by using the CVE-2017-0199 known vulnerabilities.
The virus is waiting for 30-40 minutes after infection (for distribution), and after that PETYA encrypts local files.
For decoding extortioners require redemption of $ 300 in Bitcoins on the Internet wallet.
Victims
In the first 2 hours, energy, telecommunication and financial companies were attacked - as a result, more than 100 companies around the world were infected:- in Russia: Rosneft, Bashneft, Home Credit Bank, Evraz and others;
- In Ukraine: "Zaporozhelenergo", "Dneproenergo", "Dneprovskaya Electricity System", Mondelez International, Oschadbank, Mars, "New Mail", Nivea, Tesa, Kiev Metro, government computers in Ukraine, Auchan shops, Ukrainian operators (" Kyivstar, Lifecell, Ukrtelecom, Privatbank, Borispol Airport and others;
- In the world: American Biopharmaceutical Giant Merck, Maersk, India, Australia, Estonia and others.
What needs to be done to protect?
1. Take measures to combat Mimikatz and techniques to increase privileges in Windows networks.2. Install the KB2871997 patch.
3. Registry key: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SECURITYPROVIDERS / WDIGEST / UseLogonCredential Install in 0.
4. Make sure that the passwords of local administrators on all workstations and servers are different.
5. Editively change all passwords of privileged users (system administrators) in the domains.
6. Patches Patches from CVE-2017-0199 and EternalBlue (MS17-010).
7. Essentially select the administrator's rights to all who are not needed.
8. Do not allow users to connect laptops to the LAN until patches are installed on all computers on the network.
9. Do regular backup all critical systems. Ideally use both options - backup in the cloud and removable media.
10. Implement the "zero confidence" policy and conduct safety training for its employees.
11. Disconnect the SMBV1 on the network.
12. Subscribe to Microsoft Technical Security Notifications. 1. You sponsor criminals.
2. We do not have evidence that the data of those who paid the ransom were restored.
Recently, the nightmare dream of each looks like this: you turn your computer and see the mysterious message that your files are encrypted. You will soon realize that your data is most likely lost forever - even if you pay the ransom of hackers.
The new Petya virus (also called NotPetya) in a matter of the clock struck in Europe, but Ukraine was most affected - the damage was received by the power system, banks, government agencies and airports of the country. The first symptoms of attacks were manifested on June 27, when the National Bank of Ukraine and Kiev International Airport were victims of the virus. It is reported that even the radiation monitoring systems in Chernobyl suffered. But PETYA, which is focused on the Windows operating system, has not stayed there. Microsoft confirmed that computers were infected in 64 countries. Infection has not bypassed and ordinary users. It came to the point that the institutions turned off their sites, and users did not include a computer so as not to start the virus.
But this time there was a vaccine from the virus, which protects the PC from the penetration of the virus, at least yet. Malicious software that requires redemption in exchange for decryption of files, according to Symantec, especially sophisticated, because instead of simple encryption of the system files, it actually modifies the main boot record of the computer to encrypt the hard disk. After infection, the system displays a message requiring bitcoins worth $ 300. However, since the specified email address to confirm that the ransom has been paid, has been disabled by the email provider, there is little chance that the decryption key will be provided, even if the victim is paid. In essence, those who hit Petya's paws can say goodbye to their files.
But the situation is not hopeless. For those who do not want, or simply cannot afford to turn off their computer and wait until everything passes, there is a weapon in the battle against this attack. Fortunately, it is a pretty simple home product.
Security researcher named Amit Serpence, it seems to have found a way of all multiple light steps to prevent the launch of malware on vulnerable computers. His observation, which was confirmed by other researchers, found out that Petya is looking for a specific file on the computer before encrypting its contents. If this file is located, the virus does not infect PC.
Amit Serper argues that all interested users have to create a file with the name "Perfc" in the C: \\ Windows folder. It is important to note that the file should be read only and it should not have expansion (like.txt, .jpg, .doc, etc.).
In addition, does not prevent you from installing Windows security updates. EternalBlue exploit used by the PETYA virus is based on the server vulnerabilities of the server message (SMB), which was fixed in March.
As Serper explains, maintaining Windows maintaining Windows, using the security patches and the creation of the above file should be enough to resist PETYA. Although it will no longer help the National Bank of Ukraine, you can save it.
The epidemic of the encrypter virus has begun. There is no unambiguous opinion about the origin and nature of malware. They note that it is similar to the Petya virus, which is known since the beginning of last year, and in Tom, the decrypt was already ready. However, to distribute a new modification - it is called Nonpetya, Expetya, Petya.a - uses "fresh" vulnerabilities. Including the one through which in May broke out on the Wannacry computers.
The new "Petya" falls on the computer, encrypts the files, trying to break through the adjacent machines, after which it restarts the system. During boot, it simulates the operation of the hard disk check utility, and then opens the cards: files are encrypted, I need to buy. The money is asked 300 dollars, but necessarily in Bitcoins. Since Bitcoin allows you to see all the operations and balance, knowing only the address of the wallet, we found out that in the first day the attack extortioner received about 10 thousand dollars.
Information on the bitcoin wallet of the extortionist (at the time of publication)
Typical picture in many Russian offices yesterday
Like Petya infects
There are two completely different stages: entering the inside of some network and distribution in it.
So that Petya fell to some computer in the organization's network, it is simply sent by email. It happens so. An employee receives a letter with an office document. When you open a Word (or Excel, or another application from the package), a user warns that the document contains a pointer to an external file. If this warning is ignored, then the virus will be started and started. And if the MS Office has not been updated on the computer for a long time, the warning will not even appear.
After that, the second life of Petit starts. Encrying files and overwriting the bootable area of \u200b\u200bthe hard disk, it is trying to get to other computers in the same network. For this, he has two methods. The first is a vulnerability in the SMBV1 network service. She is responsible for the "network environment", but this most version number 1 is not used for a long time. At the same time it is enabled by default even in modern versions of Windows. This vulnerability became the public domain in March, when its operating code was among the leaks from the NSA, and the Wannacry virus used it, struck thousands of computers in May. After that epidemic, only the lazy or bolds did not install patchwork for Windows.
But there is a second way. Petya, if it is launched by the user with administrator rights, receives information about all accounts on a computer, including domain-networks used in this organization. Armed with such information, the virus can access other computers on the network and infect them.
What to do if I got infected
First, in no case translate money to the Bitcoin wallet. The hoster has already blocked the mailbox on which, according to the instructions of the virus, the victim should send evidence of payment. Even if the authors of malware were going to keep the word and receiving money to issue the keys to unlock, they would no longer be able to do it.
Secondly, accept as a measure that, most likely, you will not be able to decrypt the data on this computer. Specialists in information security advise simply format the hard drive and start recovering files from backups.
What to do if not yet infected
Create in the directory C: \\ Windows File with name perfc. (without expansion, however there is information that the name is suitable perfc.dat.) And in the properties of the file, check the "Read only" checkbox. The virus checks the presence of this file, and if he sees it, it believes that the computer is already "in work."
Regularly make backups of your data on external carrier. It can be just an external disk (but it should not be constantly connected), or a network service that does not give direct access to the copy files, or cloud - again with the ability to return to previous versions of the files.
