In the afternoon of June 27th, a new version of the Petya virus was discovered which spreads by means yet unknown. A large number of companies worldwide was been affected by this ransomware. As part of our job as security specialist we would like to inform you of the steps necessary to prevent your organisation from also being a victim of this virus.
What measures should you take to prevent your organization from becoming a victim of petya? Our security specialists listed the most important advices:
As soon as a computer is infected with the virus, an amount of 300 dollars in bitcoins value is demanded. We advice you to NOT transfer or pay anything. The e-mail provider, Posteo, has already takes the e-mail address of the ransomware developer offline. So even if you decide to the transfer the 300 dollars in bitcoins.
For all Windows hosts the same advice applies as for the WannaCry virus.
– Disable the SMBv1 service
– Make sure that all servers and clients are up to date. This mainly applies to the MS17-010 update, which has been made available by Microsoft in March, 2017.
The malware spreads itself through the network by means of the PsExec / WMIC. The malware uses the credentials obtained from the infected hosts. You can configure your SIEM/IDS to detect this kind of network traffic and, if necessary, block it.
If one of the systems displays a (fake) CHKDSK) window. By this time you are too late to prevent infection, but you can still secure the rest of your systems.
When infected, the ransomware creates a<i>reboot task</i> through <i>schtasks</i>. It is only after reboot that the MBR en files on the disk are actually overwritten. The system will restart after approximately two hours. When infected, turn off all systems and use a LiveCD or mount the disk from another system to delete the ransomware.
Finaly: Update and always create BACKUP of critical data.
We advice on sharing this information with everybody in your organisation that is responsible voor information security. If you have any questions regarding this subject, please don’t hesitate to contact us through firstname.lastname@example.org.