Petya Ransomware Attack

Wahesh · Jun 28, 2017

Last night, the latest Cryptolocker style Ransomware attack, known more generally as ‘Petya’ infected large numbers of computers and networks across Europe. This Ransomware that has two major attacks: firstly it encrypts the infected computer and demands payment to release user files; and second it attempts to spread itself to other computers over networks accessible from the infected host.

What should I do?

This version of ransomware can be executed by someone either opening a file or clicking on a link. Do not open any email or attachment that you regard as suspicious. This includes attachments and hyperlinks in the message of the document.

It is suggested that you apply the latest patches from Microsoft and have virus protection on your computer.

Common sense also prevails, do not open any emails from people you are not familiar with. If they are in your junk folder, the names and subject fields are enough for you to know if the user is a trusted source.

Hacky McAxe · Jun 28, 2017

Yep. Hate ransomware. Someone at work clicked on an obviously fake Australia Post link in an email and we almost got completely screwed. Fortunately we have backups of pretty much everything but we're networked with head office in the US. We managed to shut it down before it travelled over there. If it did we'd have major issues.

Mr Invisible · Jun 28, 2017

Patch, Patch, Patch, Patch, Patch, Patch, and patch again.

In reality there is no reason for these things to do damage if people are looking after and maintaning their computers.

1. Patches dating back to March plugged this exploit.
2. Any decent virus software (I use Norton Antivirus) already has IPS signatures and Virus Defs to catch aspects of this to stop it triggering.
3. Watch what you click, and as I've told our users "If you don't know, let it go". It's better to miss an email and have someone chase it up a second time, than jump the gun, trigger a dangerous payload, and result in a disaster recovery situation.

There really is no excuse for large companies to be getting caught out by these things.

* Only exception is being hit by a 0 Day exploit, but they are incredibly rare and most AV will pick up aspects of the code and can it anyway.

Hacky McAxe · Jun 28, 2017

Mr Invisible said:
Patch, Patch, Patch, Patch, Patch, Patch, and patch again.

In reality there is no reason for these things to do damage if people are looking after and maintaning their computers.

1. Patches dating back to March plugged this exploit.
2. Any decent virus software (I use Norton Antivirus) already has IPS signatures and Virus Defs to catch aspects of this to stop it triggering.
3. Watch what you click, and as I've told our users "If you don't know, let it go". It's better to miss an email and have someone chase it up a second time, than jump the gun, trigger a dangerous payload, and result in a disaster recovery situation.

There really is no excuse for large companies to be getting caught out by these things.

* Only exception is being hit by a 0 Day exploit, but they are incredibly rare and most AV will pick up aspects of the code and can it anyway.

We were caught last year by it. Before everyone became fully aware of it. Had Norton anti-virus but it didn't detect it. Even after the cryptolocker started doing its thing it still didn't detect it. Only noticed it because one of the staff couldn't access their voice logs.

Patches cover it now along with definition updates but there's always another threat around the corner.

Nexus · Jun 28, 2017

Mr Invisible said:
Patch, Patch, Patch, Patch, Patch, Patch, and patch again.

In reality there is no reason for these things to do damage if people are looking after and maintaning their computers.

1. Patches dating back to March plugged this exploit.
2. Any decent virus software (I use Norton Antivirus) already has IPS signatures and Virus Defs to catch aspects of this to stop it triggering.
3. Watch what you click, and as I've told our users "If you don't know, let it go". It's better to miss an email and have someone chase it up a second time, than jump the gun, trigger a dangerous payload, and result in a disaster recovery situation.

There really is no excuse for large companies to be getting caught out by these things.

* Only exception is being hit by a 0 Day exploit, but they are incredibly rare and most AV will pick up aspects of the code and can it anyway.

Much easier said than done in some cases, especially Enterprise environments that have legacy systems and need to basically perform regression testing on their systems before approving patches. There will also be cases of remote users possibly not being up to date with their patches and VPN'ing to the corporate network etc.

SME's are much easier to manage.

Although my company is patched up, I still decided to create a GPO to create the perfc file on our machines as a backup.

Mr Invisible · Jun 28, 2017

Nexus said:
Much easier said than done in some cases, especially Enterprise environments that have legacy systems and need to basically perform regression testing on their systems before approving patches. There will also be cases of remote users possibly not being up to date with their patches and VPN'ing to the corporate network etc.

SME's are much easier to manage.

Although my company is patched up, I still decided to create a GPO to create the perfc file on our machines as a backup.

But that also falls partially on a poor infrastructure. In an enterprise there should be solid Endpoint management which does not allow a remote user to connect unless they are up to date with patching and virus defs (and the program version). Cloud based AV makes that easier these days I'll admit.

Legacy systems should either be vlanned and kept away from email, or firewalled. Theres no way I'd have an XP (for example) box either internet facing or in a DMZ these days.

Another one to blame though is BYOD and Internet of Things. That's going to cause some mad future headaches.

Nexus · Jun 28, 2017

Mr Invisible said:
But that also falls partially on a poor infrastructure. In an enterprise there should be solid Endpoint management which does not allow a remote user to connect unless they are up to date with patching and virus defs (and the program version). Cloud based AV makes that easier these days I'll admit.

Legacy systems should either be vlanned and kept away from email, or firewalled. Theres no way I'd have an XP (for example) box either internet facing or in a DMZ these days.

Another one to blame though is BYOD and Internet of Things. That's going to cause some mad future headaches.

Yes should should should lol... How many Enterprise environments have you worked at? lol. They are usually the worst.

The machine doesnt have to be in the DMZ or internet facing to be hit. If its on the same network segment as an infected user that could be all she wrote.

Also alot of small companies will have a flat network and wont have implemented VLAN'ing.

Bad Billy · Jun 28, 2017

Fucken viruses.
One day they will start the war that ends us all.

habs · Jun 29, 2017

Wahesh · Jun 30, 2017

Evolution. This was all in the 2004 movie i, Robot.

Robots/machines will one day get so smart that they will be able to think for themselves and rule this world.

Petya Ransomware Attack

Wahesh

The Forefather of The Kennel

Hacky McAxe

Super Moderator

Mr Invisible

Banned

Hacky McAxe

Super Moderator

Nexus

Super Duper Ultimate Moderator

Mr Invisible

Banned

Nexus

Super Duper Ultimate Moderator

Bad Billy

Kennel Immortal

habs

xdf

Wahesh

The Forefather of The Kennel