[BruCERT] Alert on global spread of Ransomware Petya

Background

On 27th June 2017, BruCERT was alerted to the global spread of a ransomware inspired by WannaCry, identified as Petya.Petya is more dangerous and intrusive as its behaviour is to encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom bootloader to display a ransom note and prevents victims from booting up. The new Petya version also included a similar SMB work based on the EternalBlue exploit.

Petya spread via email spam with booby-trapped Office documents.The documents, once opened, will download and run the Petya installer and execute the SMB worm to spread to other computers.

Affected system

The following Microsoft operating systems are currently suspected to be vulnerable

  • Windows 10
  • Windows RT 8.1
  • Windows 8.1
  • Windows 7
  • Windows XP
  • Windows Vista
  • Windows Server 2016
  • Windows Server 2012 and Window Server 2012 R2
  • Window Server 2008 and Windows Server 2008 R2

 

Recommendations

  • BruCERT advises all users and companies with affected systems listed above to
  • Ensure that their windows-based systems are fully patched.
  • Users should ensure that their anti-virus software is updated with the latest malware definitions.
  • Users should perform file backups and store them offline in case they need to restore their systems following an attack.
  • On top of Standard Guidelines, for legacy system or due to difficulty or impossible to perform patching:
  • Network Segmentation should be implemented to mitigate Petra's Spread
  • Physically disconnect vulnerable system and/or critical network segments from the Internet

 

References

Hackers strike across Europe : http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-att...

Install required Windows updates (MS17-10): https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Turn off SMB1: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disab...