The Petya (a.k.a. NotPetya/ExPetr) ransomware campaign is causing disruption to organizations and critical infrastructure around the globe. Similar to the May WannaCry outbreak, it impacts Windows systems and a successful infection results in encrypting the contents of the hard disk. However, unlike “traditional” ransomware attacks, this attack appears to encrypt files without the ability to decrypt them later. Therefore, successful attacks may result in effectively wiping the encrypted files, with backups being the only definitive data recovery method.
Threat research organizations have confirmed that the initial infection vector for the ransomware was via a compromised software update of the MeDoc financial package, which is popular in certain geographies and sectors. Once the initial system is infected, propagation methods include the ETERNALBLUE exploit that targets a vulnerability in the SMBv1 protocol (Microsoft Security Bulletin MS17-010) and was also used in the WannaCry ransomware.
Guidance for Forescout customers
Patches for the SMBv1 vulnerability used by both WannaCry and Petya were issued for Windows versions in March and May 2017.
Forescout recommends the following best practices for Forescout CounterACT customers:
- Customers should ensure that they have updated their CounterACT deployments to the latest HPS Vulnerability Database (version 17.0.5) that was released on June 22, 2017. Customers that use the best practice “Windows update compliance” or equivalent policy to detect and patch non-compliant endpoints are protecting their Windows endpoints from vulnerabilities exploited by the Petya ransomware.
- Forescout customers can also use the ETERNALBLUE breakdown policy (Security Policy Templates 17.0.6) to detect Windows systems in your network which are vulnerable to the MS17-010 vulnerability.
- Customers can protect vulnerable systems by applying the recent Microsoft patch relevant to the appropriate Windows operating system variant. CounterACT can help automate the process to isolate vulnerable systems on the network, place them in a remediation zone and initiate the remediation/patching process.
- Forescout customers should ensure that their Windows endpoints have updated anti-virus signature databases to protect them from any malware variants. CounterACT policies can automate the process to help ensure that anti-virus engines are installed, running and up-to-date on your Windows endpoints.
- Finally, customers can “vaccinate” Windows endpoints by making them pose as systems already infected by Petya. The “antidote” in this case is to create a read-only file named C:\Windows\perfc. A policy template to assist customers to systematically apply the vaccination to all corporate Windows endpoints is included in “Security Policy Templates 17.0.6”.
Forescout will continue monitoring the threat landscape and provide further updates as needed.