Latest information on New Petya (and How to Protect Against It)

Version 6

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

     

    New Petya Ransomeware (also known as NotPetya / ExPetr) is an encryption-based ransomware attack that utilizes the EternalBlue exploit and is similar to the recent WannaCry outbreak.  While Petya is distinctly different from WannaCry it utilizes the same "SMB Remote Code Execution" exploit to infect systems.  New Petya utilizes additional attack vectors as well.

     

    Attack vector

    • According to Microsoft, Kaspersky and others, update servers from certain software vendors were compromised and distributed New Petya as a false update.
    • Once introduced, New Petya is able to move laterally on the network using a credential-stealing tool and scanning for admin$ shares and valid credentials.  It then uses stolen credentials to copy a binary to the remote machine and executes it with WMIC or PSEXEC.
    • New Petya also uses exploit code for vulnerability CVE-2017-0145, which allows remote attackers to execute arbitrary code via crafted packets to an SMBv1 server, aka "Windows SMB Remote Code Execution Vulnerability". This vulnerability is only present in the SMB v1.0 protocol. Microsoft released a patch in March: Microsoft Security Bulletin MS17-010. For more information about this update, see Microsoft Knowledge Base Article 4013389.
    • All windows versions from Windows XP to Server 2016 are affected; all of these systems have SMBv1 enabled by default.  On May 13th, Microsoft released an emergency security patch for unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

     

     

    How to protect against New Petya (and other) ransomware?

     

    • Disable or block Admin$ shares, PSEXEC and WMIC:  New Petya scans and steals credentials and then uses them to spread with admin$ shares, PSEXEC and WMIC.  Disabling these can shut off one primary attack vector.
    • Block Ports:  Block port 139 and incoming SMB traffic on port 445.
    • Patch your systems: Ensure you've applied the latest cumulative updates and specifically install all security updates within Microsoft Security Bulletin MS17-010
    • Make sure Antivirus is Up to date: Ivanti Anti-Virus is able to detect this malware.  Note that there are multiple attack vectors and Antivirus is one layer in an effective protection solution.
    • Beware of phishing: never open email attachments from an untrusted sender or click on links within e-mails or documents without checking the source.
    • Regularly backup user data: create copies of all user data at regular times to prevent data loss, should a ransomware attack occur.
    • Enable Windows firewall: limit the spreading of ransomware within the corporate network by correctly configuring firewalls.
    • Block access to SMB ports over the network and/or the Internet. The protocol operates on TCP ports 137, 139 and 445 and over UDP ports 137 and 138.
    • Block legacy protocols such as SMB v1: See the following article on how to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server (Note: Windows XP only supported SMB v1).
    • Audit installed software and keep it up to date: malware often uses flaws in outdated software. Keep all installed software up to date, not only on end nodes but also in the data centre. Patch Manager will also detect vulnerabilities in many third-party software, other than the operating system.

     

     

    Kill switch\Vaccine

     

    Security Researchers have identified a "vaccine" to protect systems against New Petya.  Please see How to: Vaccinate your computer from New Petya Ransomeware for more information.

     

    What if I'm compromised?

    DO NOT PAY THE RANSOM

    According to Kaspersky Labs Daily Blog:

     

    Kaspersky Lab researchers have analyzed the high-level code of the encryption routine and determined that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery.  ExPetr (aka NotPetya) does not have that installation ID, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.

    Ivanti Product Specific Advice

     

    Ivanti Endpoint Security (formerly LANDESK Security Suite)

    The SMB exploit used to propagate New Petya is identical to that used by WannaCry and the patches that need to be applied are the same.

     

    https://community.ivanti.com/docs/DOC-47847

     

    • Example query to detect if a KB has been applied (note)

    Patch for Windows Server (formerly Shavlik Protect)

     

    More information: Webinars

     

    Upcoming:

     

    Petya and Weaponized Malware: Is Ransomware the New DDoS Attack?

    June 29, 2017

    8 a.m. PST | 11 a.m. EST | 4 p.m. BST

    In this emergency webinar, our security panel is getting together to discuss the Petya attack, where malware is going, and what it means for you. Specifically, we'll cover the latest on Petya and how it compares to WannaCry, what this attack and others tell us about the future design and potential crushing impact of malware, and how you can stop it from bringing your business to its knees.

    (register)

     

    Recordings:

     

    LIVE Updates on the UK Ransomware Attack

    May 15, 2017

    Chris Goettl: Manager, Product Management, Security, Ivanti  |   Phil Richards: Chief Security Officer, Ivanti

    Simon Townsend: Chief Technologist, Ivanti  |   Matthew Walker: AVP EMEA Product Specialist, Ivanti

     

    Ransomware Update: New Threats, New Defenses

    September 14, 2016

    Stephen Brown, Director of Product Management, Ivanti

     

    Passive Protection Against Ransomware

    June 01, 2016

    Eran Livne, Principal Product Manager, Ivanti

    Ivanti free 90 day offer

    When a global threat like New Petya comes along, it's up to all of us in cyber security to make sure we shut it down.To help minimize its impact, until June 15, 2017, we're offering a free 90-day license for the best-in-industry patch management solution that's tailored to your system needs.  Register for Ransomware Get Well Quick trial.

     

    Bookmark this page, we will add updates as they become available.