"Petya" Ransomware Goes Global

There is a new strain of Ransomware from its original called Petya. Some sites out there are calling it completely new, NotPetya, and others see it is a variant and calling it PetWrap.

Whatever the case, the advice is always the same, look at how this is reportedly spreading, and put measures in place to mitigate as much as you possibly can.

According to many reports, the Ukraine has been badly hit, and it has been seen in several high profile UK business organisations.

Its also been confirmed that this Ransomware uses the Eternal Blue exploit, which was originally thought to have been developed by the US NSA as a digital weapon, and then subsequently leaked online by the hacker group known as Shadow Brokers.

Businesses who have not put measures in place such as disabling the SMB version 1 protocol (deprecated) or implemented the MS17-010 Microsoft Patch should do so now or as soon as possible. We believe this wont be the last exploit of this nature, and although simple measures such as black-holing the domain name used for the original Wannacry outbreak, and blocking known C&C servers, wont be effective and you could be fighting a reactive battle.

Businesses need to be robust in their security measures, have a solid response plan and be reactive as they can be to these modern threats otherwise these strains will continue to develop and proliferate. Don't delay security patching.

What can you do ?

Steps that we generally advise businesses to review, in no particular order

• Firewall - locate and block any Command and Control servers, create a rule that blocks all traffic outbound to those IP addresses.
• This particular Ransomware is reported to arrive through email, as a CV type of document, or general word document. Are your email filters or perimeter email solution good enough to detect malicious code or links within documents ?
• Also reported widely is that this makes use of a Microsoft Office flaw to exploit - ensure that your Office security patches are up to date
• Disable SMB v1 throughout your estate, through ideally Group Policy, and look to deploy MS17-010 company wide
• AV Vendors / IPS protections, check with the providers, see if they have any specific protections available in updates to be enabled and effected
• Talk to your users, advise them to be wary of unknown, or in some cases known, emails arriving asking you to do something. If in any doubt, a quick call to your Security Team or Help Desk could save a lot of hassle further down the line. From what we have seen so far, its all going to be about phishing.
• Its reported that by creating a read-only file called C:\Windows\perfc.dat on your PC can prevent the file-scrambling part of the Ransomware variant from running. But it wont prevent the general spread of the malware on the network. Its reported to be designed to run internally and spread over the network and then try to connect to the Internet to the C&C Servers, unlike Wannacry which attempted the connection as soon as it could
• Crucially, this variant attempts to gain administrator access initially, either through a specially crafted document (Word/Excel etc), or through the exploit Eternal Blue. It assumes that the majority of networks, flat in nature, use a single administrator account for all workstations and can easily propagate itself.

For general advice, get in contact with support@networkandsecurity.co.uk or give one of us a call on 0203 319 3930.