Cyber security firms Symantec and Trend Micro have revealed contrasting reports on ransomware Petya impact in India.
Symantec said on Thursday that India has become the worst-hit country in the Asia Pacific and Japan (APJ) region and the seventh most affected nation globally as a new ransomware ‘Petya’ hit on June 27.
On the other hand, Trend Micro, a rival of Symantec, said that there is no petya ranwomware cases reported in India.
“In India, so far we have no cases of Petya that have been reported to us. The countries most affected are Europe, typically Ukraine and Russia,” said Sharda Tickoo, technical head, Trend Micro India.
“The Petya ransomware attack was inspired by the WannaCry attack,” said Gavin O’Gorman, an investigator in Symantec Security Response.
India faces another cyber attack
India Government has confirmed that Mumbai’s Jawaharlal Nehru Port Trust (JNPT), the largest container port and some local manufacturing units of global companies were hit.
Information Technology Minister Ravi Shankar Prasad said India has largely remained insulated so far from the ransomware attack that started in Ukraine and Russia.
The Petya ransomware was spread, at least in part, through updates to a Ukrainian tax accounting software.
Symantec has confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks.
MEDoc is widely used in Ukraine, indicating that organisations in that country were the primary target.
Once on a computer, the malware attempts to spread to all machines on the network, using a combination of stolen credentials and the “Eternal Blue” exploit.
“It also attempts to connect to any computers that the infected computer has recently interacted with. However, unlike WannaCry, it does not attempt to connect to random IP addresses across the internet,” O’Gorman added.
Cyber security experts believe that the new attack was caused by a variant of the Petya ransomware which was unleashed in 2016.
It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR), demanding that $300 in bitcoins be paid to recover files.
Suggestions for protection
Sharda Tickoo, technical head of Trend Micro India suggests that the industry needs to secure the email gateway.
There are also certain URL categorizations employed in work environment which can block access to malicious codes. Ensure that all the workstations have least privilege unless any workstation actually requires administrator privilege.
As it uses certain administrative tools like power shell, ensure that these utilities are restricted to administrators.
“We would recommend the companies to maintain an important hygiene of regularly taking back-up of necessary data and proactively monitor the systems for any suspicious activity,” Sharda Tickoo said.
WannaCry vs Petya
WannaCry was a basic form of ransomware attack and it used worm like techniques. Petya seems to be a thorough ransomware which uses different modalities. It is using EternalBlue vulnerability. It leverages multiple infection vectors not just one.
The Petya ransomware modifies the Master Boot Record (MBR) and encrypts the system files. Once the MBR is modified by this ransomware, the system displays the ransom note instead of a black or blue screen.
While the normal ransomware does not touch the MBR but encrypts files and asks for ransom. The Petya ransomware is a combination of a wiper and a ransomware, because it wipes the MBR.