Petya Ransomware & Mitigation Steps

They Petya Ransomeware outbreak is the second such global attack in the last couple of month. The malware is spreading using same Microsoft Windows vulnerability that was exploited by the recent WannaCry ransomware event.

Symantec confirmed that Petya uses the “Eternal Blue” exploit. Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but if you have put off installing the patch your business could still be vulnerable.

Potential Mitigation Steps:

  • Patch Management: Implement an emergency patch program and ensure that all Windows systems are receiving security patches from Microsoft and other vendors on a frequent basis. The patch relevant to fixing the Eternalblue vulnerability is MS17-010
  • Host Based Firewalls: Consider applying firewall rules at the host level (i.e. Windows firewall) which prevent unnecessary system to system communication (making it more difficult for Worms to propagate).
  • Network Segmentation: Properly segment networks and apply routing and firewall rules which create security zones within your network, limiting the attack surface of malware to only the network segment in which the malware was introduced.
  • Use Supported Operating Systems: Ensure all operating systems currently being ran by the organization are receiving ongoing security patches from the vendor (e.g. Windows XP and Server 2003 are no longer supported or receiving security updates.)
  • Properly Manage Backups: Verify that backups are not stored within network attached directories that might be susceptible to being infected by a Worm (and end up being encrypted as part of the ransomware attack).

Further Reading: Krebs on Security, NCC Live Blog

Leave a Reply