Petya/NotPetya attack hits Australia – Recommended mitigations
Matthew Flanagan and Leon Slattery recommend mitigations to the Petya/NotPetya ransomware attack
A new ransomware campaign was launched overnight that has been dubbed “Petya”. The initial vector for infection appears to be via a malicious document attached to a phishing email requiring a victim to download and open it. However, once a system is infected the malware will perform a limited scan of the local network and spread to other systems via a number of mechanisms including exploiting MS17-010 (the same as WannaCry) or gathering local credentials and using WMI and PSEXEC.
Mobile devices, such as laptops, appear to be aiding in spreading the malware. For example, if they are connected to a network, such as airport/café wifi or other corporate networks with infected systems they are then infected and when moved and connected to other networks they propagate the malware further.
Do not pay the ransom
The email address used by the criminals has been suspended so paying the ransom will not result in your files being decrypted.
The following are recommended mitigations
- Block inbound Internet connections to TCP port 445.
- At minimum apply security patches for MS17-010 and in general keep systems up to date with all vendor security patches.
- Create and maintain backups of data so that if an infection occurs you can restore your data.
- Disable legacy SMBv1 protocol.
What should you do next?
As with all types of attacks like this, it highlights the need to always be patched and vigilant towards all threats.
We recommend you assess your current state to understand your security posture and any potential vulnerabilities.
CSA is here to help – free assessment service
We are currently helping clients understand their current security posture and assisting to ramp up their capability to be prepared for Mandatory Data Breach Notifications legislation coming into effect in February 2018.
Part of that service is a free readiness assessment which would serve as a useful starting point for building resilience against attacks like these.
About the Authors
Matthew Flanagan is Platform Lead – Network and Security at CSA. Matt has over 20 years industry experience in a wide range of technologies focused around Internet and enterprise infrastructures. He specialises in Internet infrastructures, UNIX, security, network architecture and design. Matthew is a Member of the GIAC Advisory Board and holds the GIAC GXPN Certification for Exploit Research and Advanced Penetration Testing.Matthew Flanagan
Leon Slattery is Portfolio Manager Network and Security at CSA. Leon’s security domain knowledge has been acquired over 12 years of experience in the IT services industry focusing on development and delivery of innovative network and security solutions for customers. Leon has applied his skills for clients within Utilities, Finance, Health and Higher Education industries giving him insight into the unique challenges faced in securing information in these environments.Leon Slattery