A global outbreak of the Petya ransomware is reportedly utilising the same infection vector as the WannaCry ransomware which recently hit the NHS in the UK.
Petya spreads using the EternalBlue SMB exploit (CVE-2017-0143) and affects unpatched versions of the Microsoft Windows operating system.
Petya differs from WannaCry in that it encrypts an infected machine’s filesystem partition tables instead of individual files. It also overwrites the Master Boot Record (MBR) to prevent Windows being accessed on boot.
Important remediation advice
To protect against Petya, the advice of the Redscan SOC is to ensure network filtering is in place to block access to SMB ports and that the latest Microsoft patches are installed.
ThreatDetect, Redscan’s managed detection and response service, helps to prevent this type of attack by:
- Identifying vulnerable systems within a network environment so they can be patched
- Detecting exploit attempts through use of network intrusion detection systems
- Detection and isolation of compromised hosts through utilisation of endpoint detection and response tools (EDR)