Homeland Security has issued a Cyber Emergency Response Team alert with an update on the Petya Malware Variant. We are passing along their recommendations to you with some specific commentary associated with your existing or potential Paladin installation because you have shown interest in our products, services, or webinars:
Cybersecurity researchers have been aware of the Petya malware since 2016
and have recently identified a new enhanced variant with several different names, including “NotPetya,” “Petrwrap,” “GoldenEye,” and “Nyetya.” Current reporting suggests that the initial infection vector for the Petya variant may be the result of a supply chain attack
against accounting software MEDoc.
The Petya variant is a self-propagating worm
that can move laterally through an infected network by harvesting credentials and active sessions on the network, exploiting previously identified SMB vulnerabilities
, and using legitimate tools such as the Windows Management Instrumentation Command-line (WMIC) tool and the PsExec network management tool. After initial infection, the affected system scans the local network for additional systems to infect via Port 139/TCP and 445/TCP, prior to encrypting files and overwriting the Master Boot Record (MBR) or wiping sectors of the disk drive
. There are several reports here
that suggest that the Petya variant’s creators intend it to be destructive in nature, rather than a traditional, economically motivated ransomware. Regardless, the U.S. Government does not encourage paying a ransom to criminal actors and SecuLore supports this position. Should you find yourself affected by this ransomware (or others) and are considering making the ransom payment, please discuss this decision with us so as to make the most informed choice and to follow a best-practices approach to file recovery.
Users should consider taking the following actions, following locally-approved processes and defense response measures:
- Apply the Microsoft patch, MS17-010 (found here) to all appropriate and supported Microsoft systems.
- Disable SMBv1 on every system connected to the network. Information on how to disable SMBv1 is available from Microsoft here. While many modern devices will operate correctly without SMBv1, some older devices may experience communication or file/device access disruptions.
- Microsoft recommends blocking all traffic on Port 139/TCP and 445/TCP to prevent propagation. Microsoft has also recommends that their users can also disable remote WMI and file sharing.
- Review network traffic to confirm that there is no unexpected SMBv1 network traffic. SecuLore’s™ Paladin can be used to identify this traffic, using the “Protocols” part of the interface, looking for the “nbss” protocol (Network Bios Session Service). An example screen shot from Paladin v3b.6.2.0 is shown below.
- Isolate or protect vulnerable embedded systems that cannot be patched from potential network exploitation.
Our SecuLore team would be happy to assist. Should you need assistance on how to apply these changes and/or wish to discuss how to evaluate your options with systems that cannot be patched, please feel free to contact us
SecuLore Support Team