Petya, NotPetya Security Recommendations

images.jpeg

Prevention

To proactively prevent from being attacked by this Petya-family of malware or mitigate the damage:

  1. Keep your computer with the latest patch, especially apply Microsoft Windows security update MS17-010.
  2. Enable the Windows Firewall to block incoming requests to ports 135, 139, and 445.
  3. Disable SMBv1 in Windows https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows.
  4. Segment your network into multiple network section especially in the company network environment.
  5. Switch off your computer when you see the fake CHKDSK screen to mitigate the damage.
  6. Do not pay the ransom. Firstly the Email has been blocked by the Email provider Posteo, so your payment message will not be delivered. Secondly according to further analysis the exploit code cannot recover your computer.

Below are the Security Recommendations published by Fortinet, Cisco Meraki, Sonicwall and Microsoft Windows.

Sonicwall:

SonicWall threat research team has researched on the new Not Petya malware and developed the following GAV signatures:

  • GAV: GoldenEye.A_5 (Trojan)
  • GAV: WisdomEyes.A_2 (Trojan)
  • GAV: GoldenEye.A_4 (Trojan)
  • GAV: Petya.A_8 (Trojan)
  • GAV: Petya.AA (Trojan)

SonicWall threat research team has also deployed multiple IPS signature in April/May 2017 detecting EternalBlue or MS17-010 vulnerabilities which are proactively blocking the new Not Petya Ransomware:

  • 12700 Windows SMB Remote Code Execution (MS17-010) 1
  • 12792 Windows SMB Remote Code Execution (MS17-010) 2
  • 12794 Windows SMB Remote Code Execution (MS17-010) 3
  • 12800 Windows SMB Remote Code Execution (MS17-010) 4
  • 12814 Windows SMB Remote Code Execution (MS17-010) 5
  • 12849 Windows SMB Remote Code Execution (MS17-010) 6

SonicWall Capture ATP service also detects the malware binaries associated with this threat.

Above signatures shows us a huge spike recently exploiting MS17-10 vulnerabilities, which including the SMB traffic that the new Not Petya Ransomware generating:

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1056

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s