Since Thursday 27th June 2017, many IT systems around the world have been impacted by the PETYA Ransomware (virus).
PETYA exploits a vulnerability within Microsoft Windows.
The virus encrypts the master transfer file (MTF) and
overwrites the master boot record (MBR) with a customised loader.
These actions render the machine unusable as
the normal information required to boot the machine is not available.
The PETYA virus requests $300 to be paid in
Bitcoins to unlock the affected device. However, paying the ransom is no guarantee that the files will be restored
and might just encourage further attacks. Once a device is infected and before making the device inoperable, the
malware will scan the network for other systems online and start to propagate around your environments
To reduce the risk of being infected, it is strongly recommended that the below advice is followed:
- Inform end users to be vigilant
- Be alert! Do not click on strange or potentially
harmful links within your emails. - Be aware! Do not open attachments with the
following file names:- myguy.xls
- myguy.exe
- Order-20062017.doc
- Be aware when visiting websites, some sites may
be unsafe / unreliable – if unsure do not continue. - Be aware of fraudulent e-mail messages that use
names similar to popular services such as PayPal
instead of Paypal or use popular service names
without commas or excessive characters. - Keep your files backed up regularly – storing data
centrally in a cloud service such as Office 365 will
reduce the risk.
- Be alert! Do not click on strange or potentially
- Inform your staff to alert your service desk provider
of an incident. - Ensure that all firewalls are up to date and that all
patches and rules have been implemented
universally. - Ensure secure backups including off site backups of
all critical systems are in place. - Provide users with facilities to back up their data or
better still hold critical data in centralised cloud
platforms that are protected and backed up. - Run intrusion detection reports or review logs, to
ascertain if rogue traffic is being blocked and
indicators of compromise (IOC) are being detected. - Run vulnerability scans of your environment to
ensure you know the state of all network connected
devices and action any that are out of date or not
patched in line with your Organisation policy.
- Run checks and provide training to users on how to
recognise and avoid phishing attacks. - Ensure that Windows operating systems and
Microsoft software, such as Office are patched to the
latest level where possible and that processes are in
place to maintain the patched status of all systems.
Note that reboots are often required to complete
updates and these should be part of your patching
process. - Check service releases of your software. Many
patches require specific service releases to be in
place in order to install correctly. - Make sure infrastructure devices are properly
patched (including firmware) and protected before
they can connect to your network or systems. - Ensure that Antivirus / Anti-malware solutions are in
place and kept up to date and that they are scanning
all files on the systems. - If possible disable Microsoft SMB 1.0 support.
- If possible remove older fileserver shares and move
to more secure network access methods. - Work to remove older operating systems from the
environment as these are more vulnerable and
harder to maintain, compared to newer software. - If vulnerable devices cannot be patched look to
remove or isolate them from the network. - Implement monitoring solutions that can give early
warning of any unusual or suspicious behaviour on
your network. - Contact your key suppliers to ascertain how likely
they are to be impacted.
[vc_message]DO NOTs
- Do not assume that because patches are installed you are protected.
OS patches may not stop your devices from being infected. What they will do is prevent infected
machines from infecting other devices. Up to date Antivirus/Anti-malware solutions are an additional
level of protection to help prevent infection. - Do not assume that your border protection systems alone will be able to protect your
infrastructure. Often the malware responsible for these attacks work inside the firewalls having been
invited in by employees clicking links within rogue emails or web sites. - Do not assume that because you have rolled out a patch that all devices are protected.
You will need to monitor and check logs to confirm successful implementation. - Do not leave unused systems in production environments.
Often these become neglected and provide routes of entry to your networks and systems.
[/vc_message]
4 key areas to monitor
- Monitor for SMBv1 use on any devices.
- PETYA uses 4 identified IP address and 2 URLs,
listed below, block and monitor these for inbound and
outbound communication:
o 84.200.16.242
o 185.165.29.78
o 111.90.139.247
o 95.141.115.108
o French-cooking.com
o Coffeinoffice.xyz - Monitor for TCP port 445 traffic traversing your
network perimeter. - Search computers for any instances of the following
files, if discovered, remove the devices from the
network straight away and investigate the machine
offline:
o myguy.xls
o myguy.exe
o Order-20062017.doc
