Contact Us01254 877009

Find Us
We would have no hesitation in recommending Use It to any company looking for expert, professional advice and support.
Latest News See All
Revealed: The Biggest Causes of Lost Data and How to Avoid Them

Nowadays, people use their computers to hold onto all of their information, meaning that your hard drive could be holding more of your information than…

5 Reasons Why Network Security Is Critical For Business Users

In a world where businesses rely more and more on the Internet and computer networks are growing at an alarming rate business networks can face…

Tech Tip: Stop Default Microsoft Edge
Tech Tip: Stop Default Microsoft Edge

In Windows 10, the Microsoft Edge Browser has a habit of trying to open everything as the default app. You can stop this from happening.…

Petya Ransomware Outbreak proves Wannacry was only the beginning…

Ukraine’s power distributor, one of the world’s largest snack companies, and even Chernobyl’s radiation monitoring systems were among the hundreds of businesses and organizations around the globe reporting that they’d been infected by ransomware from the Petya family on Tuesday.

Though the initial attack vector has not yet been identified, F-Secure analysis finds this strain of Petya uses the EternalBlue exploit that first Microsoft patched in March, which gained prominence in May of 2017 thanks to WannaCry, the largest ransomware outbreak ever. These exploits, identified by the National Security Agency, did not become public until the hacking group the Shadowbrokers released them publicly early this year.

F-Secure Labs has been warning about the dangers of leaked government surveillance tools being weaponized by criminals for years. These warnings have now become a reality that businesses will have to contend with for years to come.

WannaCry proved a viable business model for criminals. Ransomware that spreads like a worm through a network could hold much of an organization’s data hostage, demanding cash delivered in the form of Bitcoin in return for relief. But WannaCry’s damage was quickly minimised due to sloppy coding that allowed for a kill switch to be activated by malware researcher who was actually on vacation at the time.

Now Petya appears to be a much more professional attempt to employ similar methods.

“This is what WannaCry looks like in the big leagues,” said Sean Sullivan, F-Secure Security Advisor. “Amateurs infected a lot of people last time. This time these guys want to cash in.”

Unlike other ransomware, Petya has an “evil twist” – it encrypts portions of the hard drive making Windows inaccessible. Though the family has been around more than a year, no version of it has used network exploits before.

As of Tuesday afternoon, more than $6,000 had already been collected in the Bitcoin wallet into which Petya demands payment, according to this Twitter account tracking payments.

Here’s the good news: F-Secure products block the new Petya variant

Our endpoint products prevent all examples of the threat. F-Secure vulnerability management product flags the used vulnerabilities within the system for remediation. Finally, F-Secure managed incident response service detects the attack and enables immediate response to the threat.

F-Secure endpoint products offer protection against the Petya ransomware on several layers to ensure that the attack can be stopped in multiple points during the attack chain.

F-Secure’s vulnerability manager, F-Secure Radar, flags the missing Microsoft security patch and the vulnerable 445 port for immediate action for IT administrators, giving them ample time to fix the vulnerabilities before the outbreak.

F-Secure’s managed incident response service, F-Secure Rapid Detection Service, detects a large number of the TTP techniques used by Petya, such as abusing rundll-32 and other Microsoft components, allowing our customers to take immediate remediative actions in the case the infection is detected.

What should you do?

F-Secure endpoint products block the Petya attacks with its default settings. However, it is good to check that all security functions are enabled. Also, you should take steps to mitigate the exploited vulnerability and prevent the attack from spreading in your environment.

  1. Ensure DeepGuard and real-time protection is turned on in all your corporate endpoints.
  2. Ensure that F-Secure Real-time Protection Network is turned on.
  3. Ensure that F-Secure security program is using the latest database update are available.
  4. Identify endpoints without the Microsoft issued patches (4013389) with Software Updater or other available tool, and patch them immediately.
    • Apply MS17010 to Windows Vista and later (Windows Server 2008 and later)
    • Apply Microsoft’s patch to Windows XP or Window Server 2003.
    • In case you are unable to patch it immediately, we recommend to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 in order to reduce attack surface
  5. Ensure that F-Secure firewall is turned on in its default settings. Alternatively, configure your firewall to properly block 445 in- and outbound traffic within the organization to prevent it from spreading within the environment.

What should you do if you were infected?

  1. Change all file permission rights to read-only access for all users on internal file network shares. OR disconnect all major file share drives, NAS, SAN, etc. where possible to limit any potential infection where read-only access cannot be configured.
  2. Check your system health monitoring infrastructure to see which IT assets have shot up in disk drive activity for reading and writing drives.

For more information, or advice please contact us on 01254 877009 today!

Any questions? Get in touch, we’d be happy to help!

01254 877009