Petya ransomware

[Tony1044]

Hey folks

Just to inform you that our security team have ID'd the three most common attachment names for the above (primarily sent as attachments in email):

• myguy.xls
• myguy.exe
• Order-20062017.doc

The advice is, as ever, ensure your AV and antimalware is up to date, have regular backups of your important data and be wary of opening attachments you didn't expect - especially from people you weren't expecting them from.

 

[Tony1044]

And for anyone wanting a large capacity external drive (this is a 3.5" with no fancy cloudiness), then Maplin currently have 8TB for less than £200:

http://www.maplin.co.uk/p/seagate-backup-plus-hub-8tb-external-desktop-hard-drive-a07wj <-- Seagate
http://www.maplin.co.uk/p/wd-8tb-my...d-drive-with-auto-backup-software-black-a11wx <-- Western Digital (slightly costlier but comes with backup software)

 

[ubuysa]

Good advice Tony1044, but everyone should also ensure that you have applied the latest Windows updates whatever version of Windows you're using. I believe the vulnerability this attack is exploiting is the same one used by the previous attack and that vulnerability was patched in March....

 

[Tony1044]

Good advice Tony1044, but everyone should also ensure that you have applied the latest Windows updates whatever version of Windows you're using. I believe the vulnerability this attack is exploiting is the same one used by the previous attack and that vulnerability was patched in March....

I don't have full details yet but I am lead to believe it may be using a different vector.

 

[ubuysa]

I don't have full details yet but I am lead to believe it may be using a different vector.

I know very little except what I'm reading in the press, but Sophos are saying

What makes the new threat different is that it now includes the EternalBlue exploit as a way to propagate inside a targeted network. The exploit attacks the Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in last month’s spread of WannaCry..

Source: https://nakedsecurity.sophos.com/2017/06/27/breaking-news-what-we-know-about-the-global-ransomware-outbreak/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=0036b37a7b-naked%252Bsecurity&utm_medium=email&utm_term=0_31623bb782-0036b37a7b-455147793

 

[Tony1044]

I'll have to tap up our security team. They or me might have misinterpreted something

I use a Sophos XG Firewall and it does a great job of stopping nasties at the perimeter.

I also have rules set up to drop packets from the majority of the world including such places as Russia, Ukraine, Brazil, China etc etc. and the sheer volume of attacks that come from those places that would otherwise be probing for weaknesses is staggering.

 

[ubuysa]

Sophos have published more details this morning, it seems that Petya exploits three vulnerabilities...

... PetyaWrap has three spreading tricks, of which the WannaCry technique is the first one it tries.

If the WannaCry hole is closed, PetyaWrap tries PsExec; if that doesn’t work, it tries LSADUMP and the Windows Management Interface to “manage” your network to your considerable disadvantage.

Treat the WannaCry patches as necessary but not sufficient.

Source: https://nakedsecurity.sophos.com/2017/06/28/new-petya-ransomware-all-you-wanted-to-know-but-were-afraid-to-ask/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=490c91e5cb-naked%252Bsecurity&utm_medium=email&utm_term=0_31623bb782-490c91e5cb-455147793

 

[Wozza63]

Your best defense is common sense. Don't open attachments from unknown email addresses and don't go to dodgy websites.