Over the course of the past 24 hours, a new Ransomware campaign has been launched against organizations around the globe, mostly in Europe and specifically in the Ukraine. This campaign appears to be leveraging a new variant of the Petya (or Petrwrap) Ransomware.
Similar to the recent WannaCry Ransomware outbreak, this attack spreads across a network by exploiting vulnerable versions of Windows Server Message Block (SMB). While Microsoft has recently released patches for six SMB vulnerabilities, many organizations have yet to deploy them.
Once a victim system has been exploited, the Petya Ransomware encrypts files and prompts the user with a ransom message requesting $300 worth of bitcoin be paid to recover the files.
For more information on the Windows SMB vulnerability, as well as the SMB exploit, please see the following articles:
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- https://en.wikipedia.org/wiki/EternalBlue
Recommended Courses of Action:
1. Review all Windows systems to ensure they have received the “Security Update for Microsoft Windows SMB Server (4013389)”, reference Critical Microsoft Security Bulletin MS17–010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx published on March 14th 2017.
2. Any public-facing Windows system with Server Message Block exposed to the internet should be immediately patched, or taken offline from public access.
3. As a best practice, SMB (ports 139, 445) should not be exposed publically, and should be blocked from all externally accessible hosts.
4. All internal Windows systems should be patched immediately to avoid internal lateral spreading of the Petya Ransomware.
5. Perform an update to your endpoint protection / antivirus software definitions immediately.
6. Ensure users are instructed to leave systems powered on so they can receive patches and definition updates.
7. Ensure critical user files and data are backed up appropriately and your organizations restore procedures are tested and communicated.
8. Brief your Help Desk personnel to be on heightened alert for any inbound calls regarding Ransomware pop-ups, and to review their response plans accordingly.