Petya Ransomware! Stay Secure!

  • Filter
  • Time
  • Show
Clear All
new posts

    Petya Ransomware! Stay Secure!

    Alert Type - Severe - Ransom:Win32/Petya (US - CERT & Microsoft)

    A new ransomware dubbed Petya was unleashed on 27th June 2017. It affected a number of multinational corporations, as well as critical national infrastructure in several countries. The latter included the Kiev metro system & the radiation monitoring system at Chernobyl, both in Ukraine, & the port of Rotterdam in the Netherlands. The malware is spreading using a vulnerability in Microsoft Windows systems (MS17-070) that the software giant patched in March & April 2017, the same bug that was exploited by the recent & devastating WannaCry ransomware attack.

    What is Petya Ransomware?
    Petya / Petrwrap / NotPetya / GoldenEye is a ransomware that affects Microsoft Windows based systems. This ransomware outbreak, though smaller than the previous WannaCry attack, was active from mid-2016 & it took new form by using EternalBlue & EternalRomance for exploiting & propagation.

    Why is Petya more sophisticated?
    The new variant of Petya Ransomware drops the payloads of Petya & Mischa & starts encrypting the Master Boot Record (MBR) after rebooting the system. Given this new ransomware’s added lateral movement capabilities, it only takes a single infected machine to affect a network.

    Unlike other ransomwares, it encrypts the MBR within 60 minutes. During these 60 minutes, it uses propagation techniques to compromise the other machines. Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). If the MFT is corrupted the file system structure on the disk becomes unusable. It also overwrites MBR with a custom bootloader that shows a ransom note & prevents the victim from booting their computer. This means that once a machine is infected it is in a complete lock-down state.

    What do I do now?
    To defend your company from spread of malware, it is essential that you are equipped to detect & defeat it in real-time. Recommended immediate best practices -
    1. Back up data regularly - Verify their integrity & test the restoration process.
    2. Audit firewalls, servers & IPS configurations - Block access to known malicious IP addresses & SMB ports 139,445 & disable SMBV1, WMIC in servers & AD.
    3. Segmentation - Segmenting the LAN & Networks will help prevent the propagation of malware.
    4. Patch operating systems, software, & firmware on devices - Use a centralized patch-management system.
    5. Use the principle of “least privilege” to manage accounts - No users should be assigned administrative access unless absolutely needed. Suspend the network access rights for the admin user for the time being.
    6. Scan all incoming & outgoing emails - Detect threats & filter executable files from reaching end users using the Sandboxing.
    7. Enable strong spam filters to prevent phishing emails - Authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting & Conformance (DMARC), & Domain Keys Identified Mail (DKIM) to prevent spoofing.
    8. Enable strong protection against Advanced Persistent Threats - For network & endpoints.

    For any information on securing your systems, please contact our 24x7 Support Team.
    Rock _a.k.a._ Jack Daniel

    Follow eUKhost on Twitter || Join eUKhost Community on Facebook