Six weeks after Wannacry ransomware, the Petya variant hit parts of USA and Europe. Although Petya is well-known, a new variant is now out in the wild.
How this ransomware works:
- Utilizes and modifies the Microsoft Windows SMB and uses the ETERNALBLUE exploit tool.
- Same exploit tool that was used for the Wannacry ransomware.
- Once infected, the MBR prevents Windows from loading into the O/S and a ransom
note is then presented to the end-user:
How to protect your systems:
- Windows systems should be patched with the March 2017 and April 2017 bulletins – specifically Microsoft Security Bulletin MS17-010
- Ensure all Anti-Virus signatures are up-to-date.
- If you have Advanced Malware Protection, you may already be covered.
- Some AV vendors may have a specific zero-day Petya update and should be distributed to all systems.
- If possible, block TCP 445 inbound.
- Create backups – in case of infection you can quickly restore data.
ISA’s MSP Services:
- Notified all customers at 12:30 PM EST on June 27, 2017.
- Assisting customers with zero-day protection.
- Continuing to monitor customer environments.
For McAfee customers, please follow these links:
For Fortinet customers, please follow this link:
For Cisco customers, please follow these links:
For Palo Alto customers, please follow this link:
For additional information regarding this issue, follow this Virus Total link: