Petya, the Ransomware Worm

By on

As zu’s resident IT Specialist, I’ve had my share of queries about how the latest ransomware worm, “Petya”, might affect us and our clients. Here’s a summary of how we reacted, and how we are affected.

In short

zu and all of our hosted websites are safe and secure from this threat.

A little more detail

The “Petya” ransomware worm takes advantage of a vulnerability in older Windows computers that allows a computer to be taken over. The attacker can do this through a phishing email, or by sending a specially created signal to the computer if it’s running a build-in program called “SMB1”. This is an older file sharing protocol that is used to mount drives between computers. It targeted mostly older computers, as they were less likely to have a fix available. In the case of some very old versions of windows, they didn’t have a fix available until after the worm had been released.

In our case, when we became aware of the threat, we made sure that our people were informed of what was going on, explained to our clients how they and zu were affected, and double-checked our potentially vulnerable computers.

Wanna be pals?

What makes us safe?

zu is secure for a couple of reasons. First, we run very few Windows computers. We do have an older Windows server, and a handful of Virtual Machines, but the server isn’t running SMB1, and the VMs are updated every week. Second, we have a corporate firewall that prevents attacks from the Internet. We’ve almost certainly been probed from the outside, but since our firewall won’t respond to the probes, it will appear as if there’s nothing there at all.

We also strive to make sure that we stay secure against other attacks or vulnerabilities. We make sure that our computers apply security patches regularly. We encourage people to be cautious when opening links and attachments, and to be critical of suspicious looking emails. Most importantly, we encourage open and honest communication – it’s important that people not be afraid of getting in trouble if something DOES slip through. They need to know that reporting an accidentally-clicked link or phishing scam will get them help quickly.

What about our clients?

Our hosted websites are also secure. We run all of our servers with CentOS Linux, not Windows, and as such they cannot serve the vulnerable SMB1. They are also protected by firewalls on the server and web host level. We don’t share files with potentially vulnerable computers. We update our servers regularly to stay on top of security issues.

What about you?

If all of this sounds familiar to you, it ought to. The “WannaCry” / “WannaCrypt” worm that disrupted business and government throughout the world in May uses the the same attack vector. If you’ve kept Microsoft Windows and Office up to date, then you’re safe from this one. If you haven’t installed the patches that you need, you should immediately. If you can’t, then you’ll need to make sure that SMB1 is disabled on your computer.

Ransomware and phishing scams are very common. They’re designed to be easy to fall for. It’s not a matter of IF something will slip through the defenses, but when. We can minimize the risk by keeping our computers up to date, by implementing common security measures like firewalls, by training people to be cautious, and most importantly, fostering open communication between IT and our coworkers and clients.