Petya Outbreak

Tommy Abrahamsson bio photo By Tommy Abrahamsson

DA

Background

A new ransomare campaign has landed - again. And again, this is not what should be considered a group of evil hackers attacking businesses around the globe, but just another wormable virus.

Anyhow, let’s not get into a discussion what the definition is, let’s look at what to do about it.

Generic Recommendations

  • Ensure systems are backed up (and restore works)
  • Patch now to prevent MS17-010 (https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
  • Review & Implement June Security Updates accordingly: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Technical Recommendations

  • Deploy the files c:\windows\perfc.dat & c:\windows\perfc as read-only
    • https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
  • Block PSExec from running on your endpoints
    • Tip: Deploy this registry change or we can suggest Thycotic Privilege Manager for Windows to prevent the original filename from running, psexec.c
  • Block known checksums
    • Tip: Use Microsoft AppLocker or we can suggest Thycotic Privilege Manager for Windows to prevent the known bad checksums
  • Block known bad URLs
    • Tip: Use your web proxy or we can suggest to use Blue Coat ProxySG
  • Block known bad network traffic
    • Tip: Use your network IPS or we can suggest to use the following FortiGate IPS signatures:
    • MS.Office.RTF.File.OLE.autolink.Code.Execution
    • MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution
    • SMB.PSexec.Detection
  • Prevent Pass The Hash by using unique local administrator passwords
    • Tip: Use Microsoft LAPS or we can suggest Thycotic SecretServer

Vendor References

  • https://success.trendmicro.com/solution/1117665
  • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/june/live-incident-blog-june-global-ransomware-outbreak/

Community References

  • https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
  • https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/