The WannaCry ransomware is not dead yet and another large-scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.
Researchers found a variant of the Petya ransomware called GoldenEye attacking systems around the world is spreading rapidly with the help of same Windows SMBv1 vulnerability.
Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
Below given text displays on the screen:
it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.
Don’t Pay Ransom, You Wouldn’t Get Your Files Back
Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.
Posteo, the German email provider, has suspended the email address i.e. email@example.com, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.
How to Protect Yourself from Ransomware Attacks
What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.
Since GoldenEye Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).
Researcher finds GoldenEye ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.
“If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine.” HackerFantastic tweeted. “Use a LiveCD or external machine to recover files”
PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, the company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.
Create Perfc, Perfc.dat, Perfc.* in “C:\Windows” folder
Regular Backup your Files:
To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer.
That way, if any ransomware infects you, it cannot encrypt your backups.
Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.
One good thing, this ransomware is spreading via local network and not so massive like WannaCry.