Petya Ransomware Attack

This morning, as you wake from a hopefully restful night’s sleep, you may hear the news of a new ransomware attack that is reported to be achieving a reasonable number of successful exploitations of organisations around the world, including here in Australia.

This latest example of ransomware, a variant of the Petya ransomware attack, exploits the same SMB (Server Message Block) vulnerability as the recent WannaCry/WannaCrypt ransomware event from May 2017 (http://www.ipsec.com.au/blog/ipsec-advice-on-wannacry-ransomware-outbreak/), however there is also evidence that it is using WMIC (Windows Management Instrumentation Commandline) and a Ukrainian Tax software that had an update compromised (which would explain large number of infection reports coming out of the Ukraine).

IPSec’s advice in relation to protecting against this latest attack is largely the same as that provided for the WannaCry/Wannacrypt ransomware:

  1. Implement the patch provided by Microsoft for the SMB vulnerability in March 2017 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
  2. Verify that all critical systems are suitably backed up and that their back-ups are regularly verified.
  3. Verify that all end-point security solutions (including anti-virus/anti-malware) applications are updated with their latest signature sets and updates.
  4. Ensure that all email security solutions are up to date and that staff have been reminded to not open unsolicited email attachments (to verify with the sender before opening email attachments) as there are some early reports of possible phishing techniques being used.

For IPSec customer’s utilising our IPSec Guard solution or who engage IPSec for managed security services, IPSec is monitoring your logs for indicators of compromise.

References: