Petya/GoldenEye Ransomware outbreak alert! Here’s how to protect your PC!

Ransomware is a serious threat and by the time you realise it’s seriousness, it might be too late. Previously, the WannaCry outbreak hit record heights in number of computers compromised. While the aftermath has yet to be fully recovered, there has been a new massive ransomware cyberattack that has been spreading worldwide called the Petya/GoldenEye.

What is Petya/GoldenEye and how bad is it compared to WannaCry?

Both malwares are similar, but vastly different. Petya, like WannaCry uses the Eternal Blue exploit to infect Windows machines, especially older and unpatched machines. Once infected, your files are encrypted and the hackers would demand a ransom in terms of bitcoin payment to release the keys. Whether you get the key or not, is subjective, of course. What is even more dangerous here, is that while WannaCry encrypted files one by one, Petya on the other hand is a lot more dangerous where it damages the whole drive, even stopping your from entering the system altogether.

The indications that your system is about to be hit by Petya are somehow very common to your daily sight. First of all, a BSOD (Blue Screen of Death) would be a signal, before your computer automatically reboots by force, to which the encryption process will be completed. You might end up ignoring this because the process looks very similar to how your Windows runs a scan and repair process, except the fact that this time the reboot will end up in nightmare.

Seems legit, right?

Once the reboot is completed, your computer will be fully encrypted, and a note will pop up that requests you to pay the ransom as below:

At this stage, you’re done! There’s nothing you can do

Once you reach this screen, your hard drive is now fully encrypted and there is nothing that you can do about it. Paying the hackers is the least that I would ever do because there is no guarantee that you will get the keys in return. One last try that is worth giving a shot is here.

Which is why, prevention is better than cure. But the BIG question here is;

How do I prevent Petya/GoldenEye Attacks?

The first thing to do is, if you notice any odd BSODs, that eventually lead you to the shutting down pop-up like above, don’t wait for it to complete, reset your desktop immediately. Don’t hit any button whatsoever. Just hit the hard button on your desktop and reset!

To avoid it from happening in the first place, here are some precautions that you can take:

1. Fix Windows System Vulnerability
   This goes without saying. If you have been thinking that it is OK to use a cracked Windows OS, and updates don’t really matter to you, you are highly likely to be the earlier culprits. These ransomware attackers are always on the lookout for vulnerable systems above anything, so updating your OS is as important as changing your underwear daily. You can download the patches related to Petya/GoldenEye from Microsoft Official Site if you want to speed things up.
2. Stop or disable Windows Management Instrumentation (WMI) Service
   WMI is a process that you would see running under the LocalSystem role in your Windows OS processes. It is one of the possible gateways for Petya/GoldenEye to enter your system. If you would like to stop or disable this service, checkout this article on Microsoft’s website:Disable WMI Service on Windows
   
   Take note that once you disable WMI, you will not be able to manage information about the resources of your computer, especially from a remote location.
3. Create a strong password
   This one goes without saying. Your login password should never be easy to guess. Take note that these hackers have access to plenty of botnet and zombie computers that is capable of catering a massive horsepower for bruteforce attacks. Easy and common passwords are going to be quicker in getting compromised. You do not actually need a much complicated password that you can’t remember. Use an 8 character password with a mix of capital letter, small letter, number, symbol and space and you’re good to go.
4. Shutdown SMBv1 service
   SMBv1 is now a deprecated network protocol and should not be used anymore. It’s enabled by default to allow network files and printer sharing features. It’s recommended to disable this as this is the main gateway of spreading both WannaCry and Petya/GoldenEye malwares. Follow these steps to disable SMBv1If you do not want to disable SMBv1:
   • Use protected network and do not share private and important files over SMBv1 connections
   • Block inbound/outbound SMB traffic at your firewall (port 445)
   • Restrict SMB to localhost only via hosts file and firewall
5. Install protection for your PC
   One of the best and quickest way to defend yourself from a massive outbreak is by installing a good security tool that offers anti-ransomware engine and real-time protection. I highly recommend the IObit Malware Fighter 5 as it’s one of the best and quickest real-time protection that you can get for your dekstop; and it’s FREE too.
   
6. Backup, Backup and BACKUP
   In any case, if you are hit by Petya/GoldenEye or any other malware, the quickest and easiest way to recover for a production system is to restore your safe backups. If you have not been doing this, then you need to seriously consider it already before its too late!

How to Disable SMBv1 Service

Remember, disabling SMBv1 will disable your file and print sharing services on your local network.

Step 1: Go to your Windows Control Panel and select “Program and Features”

Step 2: Select “Turn Windows features on or off” from the sidebar

Step 3: Look for “SMB 1.0/CIFS File Sharing Support”. It would be checked by default. Uncheck it and click OK

Step 4: Restart your PC and you’re done.