Petya Ransomware

Da
Stefano Mereghetti
-
543

Since Thursday 27th June 2017, many IT systems around the world have been impacted by the PETYA Ransomware (virus).

PETYA exploits a vulnerability within Microsoft Windows.
The virus encrypts the master transfer file (MTF) and
overwrites the master boot record (MBR) with a customised loader.

These actions render the machine unusable as
the normal information required to boot the machine is not available.

The PETYA virus requests $300 to be paid in
Bitcoins to unlock the affected device. However, paying the ransom is no guarantee that the files will be restored
and might just encourage further attacks. Once a device is infected and before making the device inoperable, the
malware will scan the network for other systems online and start to propagate around your environments

To reduce the risk of being infected, it is strongly recommended that the below advice is followed:

  • Inform end users to be vigilant
    • Be alert! Do not click on strange or potentially
      harmful links within your emails.
    • Be aware! Do not open attachments with the
      following file names:

      • myguy.xls
      • myguy.exe
      • Order-20062017.doc
    • Be aware when visiting websites, some sites may
      be unsafe / unreliable – if unsure do not continue.
    • Be aware of fraudulent e-mail messages that use
      names similar to popular services such as PayPal
      instead of Paypal or use popular service names
      without commas or excessive characters.
    • Keep your files backed up regularly – storing data
      centrally in a cloud service such as Office 365 will
      reduce the risk.
  • Inform your staff to alert your service desk provider
    of an incident.
  • Ensure that all firewalls are up to date and that all
    patches and rules have been implemented
    universally.
  • Ensure secure backups including off site backups of
    all critical systems are in place.
  • Provide users with facilities to back up their data or
    better still hold critical data in centralised cloud
    platforms that are protected and backed up.
  • Run intrusion detection reports or review logs, to
    ascertain if rogue traffic is being blocked and
    indicators of compromise (IOC) are being detected.
  • Run vulnerability scans of your environment to
    ensure you know the state of all network connected
    devices and action any that are out of date or not
    patched in line with your Organisation policy.
  • Run checks and provide training to users on how to
    recognise and avoid phishing attacks.
  • Ensure that Windows operating systems and
    Microsoft software, such as Office are patched to the
    latest level where possible and that processes are in
    place to maintain the patched status of all systems.
    Note that reboots are often required to complete
    updates and these should be part of your patching
    process.
  • Check service releases of your software. Many
    patches require specific service releases to be in
    place in order to install correctly.
  • Make sure infrastructure devices are properly
    patched (including firmware) and protected before
    they can connect to your network or systems.
  • Ensure that Antivirus / Anti-malware solutions are in
    place and kept up to date and that they are scanning
    all files on the systems.
  • If possible disable Microsoft SMB 1.0 support.
  • If possible remove older fileserver shares and move
    to more secure network access methods.
  • Work to remove older operating systems from the
    environment as these are more vulnerable and
    harder to maintain, compared to newer software.
  • If vulnerable devices cannot be patched look to
    remove or isolate them from the network.
  • Implement monitoring solutions that can give early
    warning of any unusual or suspicious behaviour on
    your network.
  • Contact your key suppliers to ascertain how likely
    they are to be impacted.

DO NOTs

  • Do not assume that because patches are installed you are protected.
    OS patches may not stop your devices from being infected. What they will do is prevent infected
    machines from infecting other devices. Up to date Antivirus/Anti-malware solutions are an additional
    level of protection to help prevent infection.
  • Do not assume that your border protection systems alone will be able to protect your
    infrastructure. Often the malware responsible for these attacks work inside the firewalls having been
    invited in by employees clicking links within rogue emails or web sites.
  • Do not assume that because you have rolled out a patch that all devices are protected.
    You will need to monitor and check logs to confirm successful implementation.
  • Do not leave unused systems in production environments.
    Often these become neglected and provide routes of entry to your networks and systems.

4 key areas to monitor

  1. Monitor for SMBv1 use on any devices.
  2. PETYA uses 4 identified IP address and 2 URLs,
    listed below, block and monitor these for inbound and
    outbound communication:
    o 84.200.16.242
    o 185.165.29.78
    o 111.90.139.247
    o 95.141.115.108
    o French-cooking.com
    o Coffeinoffice.xyz
  3. Monitor for TCP port 445 traffic traversing your
    network perimeter.
  4. Search computers for any instances of the following
    files, if discovered, remove the devices from the
    network straight away and investigate the machine
    offline:
    o myguy.xls
    o myguy.exe
    o Order-20062017.doc