Sophos advises steps to counter Petya ransomware

The steps Sophos highlights include ensuring systems have the latest patches, including that specified in the Microsoft MS17-010 bulletin. Users are also highly advised to consider blocking the Microsoft PsExec tool from running on users’ computers. 

Sophos also emphasizes the importance of backing up important files regularly on an external storage device that is not connected to the system. This is a generally useful step as anything can happen that damages our files, such as fire, flood, theft, a dropped laptop or even an accidental delete, Sophos warns.

Sophos also offers free - non-business - use of its Sophos Intercept X and free Sophos Home Premium Beta, which the company says prevents ransomware by blocking the unauthorized encryption of files and sectors on the hard disk.

The Petya ransomware encrypts files and documents on an infected machine, like most ransomware, and also replaces the original master boot record (MBR) of an infected machine so that this computer can no longer boot into Windows, Sophos says. The new boot code is used to show the ransomware note and explains how to pay the ransom, the company adds.

“We have seen that this new outbreak uses the ʼEternalBlueʼ exploit as a way to spread within a network after the initial infection. The exploit attacks the vulnerable Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in the spread of WannaCry last month. The new Petya variant can also spread by using a version of the Microsoft PsExec tool in combination with admin credentials from the target computer,” Sophos adds.