While everyone was just getting over the “WannaCry,” ransomware cyber-attack, now a new ransomware attack has made its presence, named Petya Ransomware. Unfortunately, the new ransomware global scare is also a result from the same vulnerability named “EternalBlue.” The known vulnerability was stolen from the NSA and was released by the threat actor group known as “Shadow Brokers”. The Petya ransomware is now spreading fast globally, it first started overseas in Europe, Ukraine and Russia. There were some specific targets which were hit with the ransomware such as the large shipping company named Maersk as well as power systems in the Ukraine. The ransomware basically crippled users’ systems running Microsoft Windows operating systems by encrypting their hard drives. Globally, Russia and Ukraine were the most affected according to Kaspersky Labs, along with other victims spreading across countries which includes Britain, France, Germany, Italy, Poland, as well as the United States. The total number of attacks at this time are unknown. According to security researchers, the Microsoft systems affected are Microsoft Windows Vista, 7, 8.1, 10, Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, Microsoft Windows Server Core Installations 2008, 2008 R2, 2012, 2012 R2, 2016, Microsoft Windows; XP SP2/SP3, Embedded SP3, 8 RT, and Microsoft Windows Server 2003 SP 2. As our Redport Information Assurance, LLC cybersecurity research team analyzes the Petya ransomware global threat situation, our team recommends that users take the following actions; Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing for the ransomware, block ingress and egress traffic to TCP and UDP ports 139, 445, and 3389 at your demarcation point, immediately remove all un-patchable hosts from the network, disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing, run all software as a non-privileged user to diminish the effects of any type of a successful attack, remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources, inform and educate all system users regarding the known Petya ransomware threats posed by hypertext links which are usually contained in emails or email attachments, especially those from un-trusted sources, and finally to apply the “Principle of Least Privilege” to all systems and services.

By Dr. Randall Sylvertooth

References:
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Direct link to vulnerability patches:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598




For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA