30 March 2016

Since some days a new type of ransomware is in the news, primarily in Europe. Post ‘PETYA Ransomware Corrupts Windows’ Boot Record’, published yesterday on LIFARS, made me curious.

If something can overwrite the boot record of a modern Windows Operating System, this is a sign that something goes wrong. And with modern Windows Operating System I mean everything from Microsoft starting with Windows Advanced Server 3.1.

Under normal conditions administrative privileges are required to overwrite the boot sector. Thus if PETYA can overwrite the boot sector, this is an indication that the current user works with administrative privileges. Unfortunately, malware can auto-elevate if UAC is not set to the highest level ‘Always notify me’. In this case, it is not required that the user works with permanent administrative privileges. Actually, a report in German PC-Magazine PETYA confirms that PETYA uses the auto-elevation technology.

With this, defending PETYA is an easy job from a technology point of view:

• Revoke permanent administrative rights from all users and
• Set UAC to ‘Always Notify Me’ as default.

The latter could be implemented as a global group policy with just some clicks. Some user and helpdesk training is required in advance to ensure a smooth transition.

The hard job is to make sure that the complex application universe in a company is still working after the change. But thanks to the great progress with UAC since Windows Vista this should be possible now. The money spent for application testing is well invested because by waiving permanent administrative privileges and setting UAC to the highest level, lots of security problems are solved at a single blow.

Have a good day … and check your UAC settings.