Protect Against the Petya Malware Attack

How to prepare and protect your organization against ransomware attacks.

Editor’s Note: This article was updated on June 29 to reflect that Petya was originally misidentified as a ransomware attack, but is now being called a malware attack.  

Nearly two months after the WannaCry ransomware attack on hundreds of thousands of computers around the world, a similar attack called Petya has surfaced. The attack targeted government, domestic banks and power companies in Ukraine, and other large companies across the globe. Similarly to the WannaCry attack, Petya victims found their files encrypted and a demand of $300 in bitcoin for their release.

It is believed that this attack utilized the “ETERNALBLUE” exploit via a vulnerability in Microsoft Windows. The company released a patch for the vulnerability in March.

You Control the Temperature

Join us virtually for this year's Gartner IT Symposium/Xpo®

View Conference

Read More: Learn from the WannaCry Ransomware Attack

With attacks like WannaCry and Petya, enterprises need to be proactive and educated on the threats.

Preventing ransomware attacks on the organization

Jonathan Care, research director at Gartner, offers insight on preventing attacks and protecting your organization:

“Petya is a different kind of malware from WannaCry. Common delivery methods are via phishing emails, or scams, however it seems increasingly likely that Petya uses an infected application update from a breached software vendor as its initial infection vector.The payload requires local administrator access. Once executed, the system’s master boot record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process, It appears very likely that Petya cannot decrypt data that has been encrypted so organisations should consider this as destructive malware, rather than ransomware,” said Mr. Care. “Organizations need to be very aware of how threats can affect their organization, through lax infrastructure controls, unsafe application updates, or even web adverts infected with malware. Therefore using models such as Gartner’s Continuous Adaptive Risk Trust Assessment or Gartner’s Adaptive Security Architecture which emphasize not only protection, but also detection, response and prediction are key tools for the CISO and team.”

  1. The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.
  2. Many Windows systems are configured to automatically reboot if it crashes. You can disable this feature in Windows. If you can prevent the MFT from being encrypted, you can still recover your data from your local disk.

Read More: 7 Ransomware Myths

“Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems,” he said. “It is when the machine is rebooted to encrypt the MFT that the real damage is done.”

Protect your organization

Mr. Care has seven steps for protecting your organization from Petya, WannaCry and similar attacks.

  1. Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
  2. Consider disabling SMBv1 to prevent spreading of malware.
  3. Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  4. Ensure you have the latest updates installed for your anti-virus software, vendors are releasing updates to cover this exploit as samples are being analyzed.
  5. Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share.
  6. Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  7. Operate a least privileged access model with employees. Restrict who has local administration access.




Gartner Clients can learn how to protect against ransomware in the Gartner Research Use These Five Backup and Recovery Best Practices to Protect Against Ransomware, by Jonathan Care.

Learn more about ransomware infection techniques and how to strengthen security architecture in the Gartner webinar Ransomware Protection: Facts and Myths.

Learn more about malware at the Gartner Digital Risk & Security hub for complimentary research and webinars.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Improve Employee Experience to Drive Improvements in Customer Experience

Download this research from Gartner to help you learn how you can drive positive impact on customer experience (CX) by improving employee experience (EX).

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching