Petya – ransomware failing to hold us to ransom?

Phil Bridge from Kroll Ontrack Data recovery discusses the global Petya attack and how data can be recovered without paying the ransom. 

The international cyber attack that has affected myriad businesses worldwide including advertising firm WPP and the Chernobyl nuclear power plant in June has highlighted the severe risks posed by malware attacks. Initially thought to be a ‘run of the mill’ ransomware attack, the initial fallout from Petya highlighted that lessons are still to be learned by businesses and individuals, even after the warnings given by the WannaCry attacks in May.    

What is this new strain of ransomware? 

This latest attack is from a strain of ransomware, Petya, which has seen an upgrade to its latest version, Petrwrap.   

Petya is a type of ransomware that appeared approximately 18 months ago. The way it works is that criminals do not encrypt all the files on your computer but instead attack a part of the operating system called the Master File Table (MFT) an essential ‘index’ for the computer system to locate files on the computer. Attacking one part of the system (the MFT) is much faster than targeting all the individual files but the result is as if each file had been locked separately.  

There have been reports that security researchers have found a method of preventing a machine from being infected, but this doesn’t help stop the spread of the virus to other computers on a network or help users who have already been affected. 

The master file table (MFT) acts as an index of all files stored on your hard drive. The original Petya malware attacked this area, meaning that an infected computer will not be able to locate any files stored on the disk. A fix was since found for the old strain, but there are also ways of recovering data when there are issues with the MFT. It is possible for data recovery engineers to manually search a drive using specialist tools, which can then sometimes be used to piece together and restore whole files. 

The latest version of Petya is seemingly going one step further; rather than just affecting the MFT, this malware is actually overwriting the first few sectors of a disk, thus making the damage irreversible. It’s also modifying the master boot record (MBR) section of the disk to reboot the system and display a fake diagnostic message, which subsequently shows the ransom note. The ransomware has also been updated to include worm capabilities, which enables this malware to travel across infected networks. 

There is hope 

Kroll Ontrack engineers have recovered data from systems affected by variants of Petya. Not all Petya ransomware encrypts the MFT and it appears to only do this if the malware has been given administrative privileges.   

However, reports claiming that all affected MFTs render all files to be deleted permanently are not true. Kroll Ontrack has found that with certain versions of Petya only part of the MFT is encrypted; therefore with specialist data recovery tools our engineers have successfully recovered data in these scenarios. Each system and ransomware variant needs to be assessed on a case-by-case basis but this breakthrough gives renewed hope to ransomware victims. 

Are we actually being held to ransom? 

There have also been reports suggesting that the email address associated with the hackers’ Bitcoin account has been shut down. This means that there is no hope for victims in terms of getting decryption keys from the hackers and makes paying the ransom a fruitless endeavour. This may however still prove to be inaccurate as over £7000 worth of bitcoin was reportedly moved from the account. Smoke and mirrors are common practice among cyber criminals, to hide true intentions and to slow down any form of successful response. 

This leaves affected users with a limited amount of options; try and rebuild the data from any available backups or contact a data recovery specialist who may be able to salvage some of the lost information.   

There are many different file systems available on the market, all of which store data in a unique way. This means there may still be a chance that data can be restored from certain systems that have been affected by this attack. We’d strongly advise against paying the ransom as it’s now almost certain that you will not receive your data back in return, however data recovery specialists may still be able to help. Our team are constantly working on different approaches to work around the damage caused by ransomware. 

Kroll Ontrack has issued the following guidance to reduce risk and mitigate the effects of an attack: 

Seek help from a data recovery professional before paying the ransom: There are many cases of ransomware victims paying the ransom demanded and not receiving their data back in return. Rather than running this risk, companies should work with data recovery experts to assess the chances of a recovery being possible.   

Create and follow a backup and recovery plan: Ensure that a plan includes storing the backups offsite. \

Be prepared by testing backups regularly: Organisations and individuals must be familiar with what is stored in backup archives and ensure the most critical data is accessible should ransomware target backups. 

Implement security policies: Use the latest anti-virus and anti-malware software and monitor consistently to prevent infection. Always keep your systems up-to-date and apply the latest security patches. 

Develop IT policies that limit infections on other network resources: Companies should put safeguards in place, so if one device becomes infected with ransomware, it does not permeate throughout the network. 

Conduct user training, so all employees can spot a potential attack: Make sure employees are aware of best practices to avoid accidentally downloading ransomware or opening up the network to outsiders. 

Phil Bridge, Managing Director, EMEA, Data & Storage Technologies, Kroll Ontrack 

Image Credit: Carlos Amarillo / Shutterstock