A new strain of ransomware called “Petya” is sweeping across the globe as of Tuesday, June 27th, 2017. It is very similar to the WannaCry ransomware, in that it exploits the same Windows vulnerability that Microsoft patched in March 2017. However, you could have many unpatched legacy Windows systems running in your IT infrastructure, which are still susceptible to both Petya and WannaCry.
Petya has spread rapidly within a day, impacting over 2000 targets including several high-profile victims such as the Danish shipping giant Maersk, Russian oil and gas giant Rosneft, US pharmaceutical company Merck, and multiple institutions in Ukraine.
A new and improved iteration of WannaCry
Both Petya and WannaCry spread rapidly, hitting many high-profile targets. The hackers bring businesses to a grinding halt by encrypting business critical data and then demanding a ransom in Bitcoins to unlock that data. However, there are some glaring differences between the two types of ransomware.
- Petya, and newer iterations called “NotPetya” or “GoldenEye”, use stronger encryption keys than WannaCry, making it more difficult to reverse-engineer and decrypt.
- Petya avoids the design flaws of WannaCry, by not encoding a “kill switch” that allowed security analysts to stop the spread of WannaCry around the world. Petya shows no signs of being contained.
Once inside the network, Petya steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation (WMI) to instruct all PCs to run the malware.
Protect your IT infrastructure against Petya
Here are concrete steps that you can take to minimize the risks posed by any ransomware, including the latest strain, Petya. These best practices are similar to the ones mentioned in the blog-post on WannaCry last month.
- Ensure that Microsoft patch MS17-010 has been applied to all systems. This is the patch that mitigates the Eternal Blue exploit that was believed to have been developed by the US National Security Agency, and released by the hacker group called Shadow Brokers.
- Run the Microsoft Security Analyzer to identify systems running older versions of Windows OS that are susceptible to Petya and WannaCry.
- Install the emergency patch issued by Microsoft for unsupported versions of Windows 8, XP, Vista, and older versions of Windows Server.
Arctic Wolf to the rescue
Our Security Engineers at Arctic Wolf Networks have seen several instances of Petya targeting our customers, and each time we have been able to notify the users within 5 minutes and help them take appropriate action. We will continue to monitor the situation and notify you about any related abnormal activity.
Arctic Wolf Networks delivers a SOC-as-a-service with Managed Detection and Response, which protects small and medium-sized businesses against any form of advanced threats, including the latest strains of ransomware like Petya.