Informational Alert – Petya Ransomware Attacks

risual | 28th June 2017 | Azure

Summary

This alert is to provide you with guidance concerning the ransomware issue being discussed broadly in the press starting on Tuesday, June 27, 2017, and causing a large volume of customer inquiries. This ransomware is being described by the press and security researchers as “Petya Ransomware”. For customers using Microsoft’s antivirus software this detects and protects against this ransomware. Microsoft’s initial analysis found that the ransomware uses multiple techniques to spread, including two which were addressed by a security update (MS17-010) previously provided for all platforms from Windows XP to Windows 10. As a general precaution, rMS advice customers should exercise caution when opening unknown files.

Malware Detection

Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/Petya. Ensure you have a definition version equal to or later than:

  • Threat definition version: 1.247.197.0
  • Version created on: 12:04:25 PM : Tuesday, June 27 2017
  • Last Update: 12:04:25 PM : Tuesday, June 27 2017

In addition, the free Microsoft Safety Scanner http://www.microsoft.com/security/scanner is designed to detect this threat as well as many others. Those with a solution from an antivirus provider other than Microsoft should check with that company.

Recommendations

Three specific steps customers can take to mitigate against new ransomware:

  1. Ensure you have the latest security updates installed
  2. Ensure you have the latest AV Signatures from your preferred AV vendor
  3. Do not open email/attachments from unknown/untrusted sources

Note: these are good security defense-in-depth recommendations that may prevent being infected by this ransomware, but these steps alone do not guarantee against infection. Customers who believe they are affected can contact rMS on or email to rMS Support.

rMS can advise on a number of Microsoft features that can aid in the prevention of the spread of this exploit, such as:

Office 365 Safe Links https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx

Office 365 Safe Attachments – https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx

Windows File Server Resource Manager – https://technet.microsoft.com/en-us/library/cc754810(v=ws.10).aspx – this can help protect file servers from particular extensions. SCCM Software Inventory Feature / File reporting feature can help identify if file extensions are present – rMS are in the process of testing this and can advise further if required. If you have any questions regarding this alert, please contact rMS Support or your Service Delivery Manager (SDM).

About the author

risual