Petya Outbreak

Tommy Abrahamsson bio photo By Tommy Abrahamsson



A new ransomare campaign has landed - again. And again, this is not what should be considered a group of evil hackers attacking businesses around the globe, but just another wormable virus.

Anyhow, let’s not get into a discussion what the definition is, let’s look at what to do about it.

Generic Recommendations

  • Ensure systems are backed up (and restore works)
  • Patch now to prevent MS17-010 (
  • Review & Implement June Security Updates accordingly:

Technical Recommendations

  • Deploy the files c:\windows\perfc.dat & c:\windows\perfc as read-only
  • Block PSExec from running on your endpoints
    • Tip: Deploy this registry change or we can suggest Thycotic Privilege Manager for Windows to prevent the original filename from running, psexec.c
  • Block known checksums
    • Tip: Use Microsoft AppLocker or we can suggest Thycotic Privilege Manager for Windows to prevent the known bad checksums
  • Block known bad URLs
    • Tip: Use your web proxy or we can suggest to use Blue Coat ProxySG
  • Block known bad network traffic
    • Tip: Use your network IPS or we can suggest to use the following FortiGate IPS signatures:
    • MS.Office.RTF.File.OLE.autolink.Code.Execution
    • MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution
    • SMB.PSexec.Detection
  • Prevent Pass The Hash by using unique local administrator passwords
    • Tip: Use Microsoft LAPS or we can suggest Thycotic SecretServer

Vendor References


Community References