Petya: Large-scale ransomware campaign

Petya: Large-scale ransomware campaign

DearBytesBlogPetya: Large-scale ransomware campaign

woensdag 28 juni 2017

Nederlands? Naar de Nederlandse versie.

What’s going on?

A global outbreak of a new variant of ransomware called “Petya” is currently taking place. The ransomware is causing all kinds of problems at organizations worldwide. Media are heavily focusing on this issue, because of the large scale at which the ransomware is spread. Ransomware is a type of computer virus that takes files ‘hostage’ on a pc or in a network by encrypting these files. Money is subsequently demanded to decrypt and unlock the files.

For further information, read these items:

https://tweakers.net/nieuws/126441/grote-petya-ransomwareaanval-treft-organisaties-meerdere-landen.html

http://nos.nl/artikel/2180251-meer-bedrijven-in-nederland-getroffen-door-ransomware-aanval.html

*** UPDATE: Paying a ransom is now pointless, as the mailbox has been taken offline by the attacker(s).

 

Why is this important?

The ransomware has been widely distributed and, just like WannaCry, seems to target unpatched Windows systems. The same leak appears to have been misused; the one in SMB protocol V1. Due to the automatic distribution, the infection can very quickly spread worldwide.

The assumption is that the ransomware is spread via e-mail, but this is not yet certain.

 

To whom does this apply?

The malware targets Windows system. Therefore every organization is in fact susceptible, although automatic distribution will only succeed to unpatched systems.

Each Windows version has a so-called Server Message Block (SMB), a standard part in all versions for exchanging files. A vulnerability was found in this SMB several weeks ago, which makes the SMB prone to infections by, for instance, malware/ransomware.

Each vulnerability receives a unique number, known as a CVE score. This vulnerability number is CVE-2017-0143 up to and including CVE-2017-0148. Microsoft has registered it under number MS17-010.

You can find more information here: https://technet.microsoft.com/library/security/MS17-010

 

What can you do?

As Microsoft has already released patches, it is now a matter of rolling out these patches as quickly as possible. We also recommend additional mitigating measures for recognizing and removing affected systems from the network without delay, seen the potential impact and probable lead time of a patch rollout.

Check in your e-mail if users have received a file called “Order-20062017.doc”, which seems to be part of the ransomware campaign.

McAfee provides protection with an EXTRA.DAT, as well as via cloud-lookups with Global Threat Intelligence (GTI): https://kc.mcafee.com/corporate/index?page=content&id=KB89540&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

McAfee products detect this threat as Ransom-Petya with coverage from DAT Version 8574. This is an automatic daily update.

For AlienVault users, we suggest to check out AlienVault Open Threat Exchange (OTX). With this, the IDS signatures are updated to detect the exploit toolkit (eternalblue) and will generate an alarm.

For Fortinet users, we suggest to check out https://fortinet.uberflip.com/petya-central and https://blog.fortinet.com/2017/06/27/new-ransomware-follows-wannacry-exploits for further information.

Have you been affected by ransomware, and are you seeking Incident Response assistance? Please contact our 24×7 helpline via: +31 (0)251-750250.

 

What does DearBytes do?

Endpoints managed by DearBytes are protected by the aforementioned detection means from McAfee.

In organizations where DearBytes manages vulnerability scanning, a scan on MS17-010 will be executed and results will be shared.