Petya Ransomware Affecting Windows Systems Globally:

Wednesday 28 June 2017

 

Currenlty Petya Ransomware is affecting users of Windows worldwide. In response,  a public service announcement from Praetorian IT Security has been issued due to the widespread and severe nature of this attack...

A major ransomware attack targeting Microsoft Windows systems is affecting large and small companies and systems alike, many of them critical, on a global scale.

What We Know
A new ransomware variant is spreading rapidly across the globe at the time of this writing this email. There is not much in the way of consensus yet in the security research community, as such the following information is only provisional in nature:

The ransomware has been dubbed “Petya.” It is exploiting a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also exploits a vulnerability in SMBv1 which is the Microsoft file-sharing protocol. This second vulnerability has been dubbed Eternal blue and is described in Microsoft security bulletin MS17-010.

The ransomware has affected a large number of individuals, companies, organisations and government entities on an global scale.

The screenshot below of the ransomware page you are confronted with once your files are encrypted:

Ransomware

 Behavioural analysis has been provided in the Youtube video below.

[video:https://youtu.be/vtDgA_aasfc?rel=0 width:480 autoplay:1]

What To Do

If you have not already done so already, immediately install the MS17-010 patch from Microsoft.

If you currently run an unpatched Windows system, you may not have time to patch it before you are infected. Consider shutting down your machine, if feasible, and leaving it off the network until there is consensus in the security research community on what this exploits and how to protect against it.

If you are technically able to, we recommend you block network access to port 445 on your Windows workstations. You may also want to monitor traffic to that port if you are a security professional.

Keep an eye on the Microsoft Security Response Center where they will hopefully release formal guidance soon.

Update your anti-virus definitions and run a scan on your system. You can find out which anti-virus products are detecting the current variant of Petya on this VirusTotal page. I’ve linked to one of the files involved in the infection. The page shows which AV vendors are currently detecting this file. NB: The green check marks mean the file is NOT detected by that AV vendor (it’s counter intuitive). Please note that currently Windows Defender is not detecting this Ransomware.

This information was kindly supplied by Praetorian IT Security - for more detail they can be contacted via www.secured-it.co.uk