Petya Ransomware: The Basics
A little over two months on since WannaCry set the internet on fire, a new release of ransomware is spreading around the world, as experts unfortunately warned might happen.
While the speed at which WannaCry spread was alarming, it was ultimately flawed by a botched sandbox evasion that acted as a kill switch preventing further spread.
It was spreading via a known vulnerability known as EternalBlue (MS17-010). A patch however had been available since April and the cry went out in the wake of WannaCry for everyone to patch their systems.
Two months on a variation of Petya has re-appeared and has been upgraded to exploit MS17-010 as well as other vectors which has spread across the globe.
The Ukraine has been hit particularly hard and it’s now widely speculated that the initial attack vector was through an automatic update of the accounting software MEDoc with the vendor having been compromised.
Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. With fully patched windows 10 systems being hit after creds have been pulled from infected machines it spreads fast through internal networks.
AppChecks advice is to scan for unpatched vulnerabilities and then patch as a priority. As a general rule try and avoid having a homogenous IT environment, just like in natural selection variation is key, ideally have your backups on a separate family of OS so not everything can be compromised at once and test your backups. Also try ensure you have a disaster recovery plan in place.
It’s recommended to completely block external inbound connections to the SMB port (445) and disable SMBv1 as this will help prevent this attack from spreading. However, it’s important to note that this is spreading by multiple vectors and there are even reports of it using PSExec to spread between machines.
AppCheck can detect the presence of MS17-010 from both external scans and internal scans, if you haven’t yet checked yet then do so today.