Petya Global Breach
Information to help keep your business protected.
In June there were numerous reports and heavy media coverage of a new ransomware attack originating in the Ukraine and spreading across Europe. This attack has already had several labels applied including Petya, NotPetya, Petrwrap, and PetyaWrap.
As your managed security services provider we would like to provide some information on what this attack is, how it works and how you can mitigate it.
How it works
Similarly to the recent WannaCry outbreak, Petya is generally distributed via url links emailed to users, and a payload being downloaded as a result of clicking on the links. It is spread within a network in a similar way to WannaCry and utilising the same Microsoft vulnerability – MS17-010.
From there, Petya operates differently to WannaCry. Petya encrypts the Master Boot Record of a system. This effectively destroys the index of files held on a computer, rendering the PC or server inoperable after a reboot, with no access to the files held locally.
What should you do?
The responses to Petra are the same as WannaCry.
The most time critical action is patching. In response to WannaCry, Microsoft released a patch for systems including end of life operating systems such as Windows XP - http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598. It is essential to ensure your system patches are up to date as per our previous communication in response to WannaCry.
Apart from patching, user education is also very important, as the ransomware typically enters an organisation as a result of end-users clicking on links. You can access Tesserent's Cyber Savvy Tips here. This is an opportune time to discuss cyber security with your staff.
Other important things to have in place are current backups, and a response plan for ransomware attacks.
What Tesserent do
Tesserent continue to update the firewalls based on the feeds from the various global vendors designed to prevent the ransomware entering an organisation via the Internet perimeter.
For our SIEMplicity customers, we are also working closely with the Open Threat Exchange community and applying new updates to the monitoring as they are available. Learn more about SIEMplicity and how it can optimise your network security.
As an example, we have just completed testing and applying one of the overnight feeds from the OTX, to ensure the alarms generated are High Risk. Please see data below.
Lastly, an important point with regard to the MS17-010 Microsoft bug, that also applied to WannaCry - this bug is used to spread the infection from at least one host that is infected within an organisation’s network. If all Windows hosts within an organisation have been patched the ransomware will not spread from machine to machine, however it will still infect the original machine on which the user clicked the link therefore encrypting the MBR on that host.
For more information, contact Tesserent