[SingCERT] Alert on Global Spread of Ransomware Petya/Petna

Published on Wednesday, 28 June 2017 00:30

Background
On 27th June 2017, SingCERT was alerted to a new variant of the Petya malware known as Petna, which spreads via the Microsoft Windows SMB protocol based on the ETERNALBLUE exploit. This is a similar exploit to the WannaCrypt/WannaCry ransomware earlier in May 2017. It was reported globally that multiple organisations, including government agencies and critical information infrastructure operators experienced network outages.

SingCERT will be closely monitoring the situation and will provide updates accordingly.

Please refer to the Petya/Petna Ransomware Technical Advisory for more details:
https://www.csa.gov.sg/singcert/news/advisories-alerts/technical-advisory-on-petya-petna-ransomware
 
Affected Systems
The following Microsoft operating systems are currently suspected to be vulnerable
  • Windows 10
  • Windows RT 8.1
  • Windows 8.1
  • Windows 7
  • Windows XP
  • Windows Vista
  • Windows Server 2016
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows Server 2008 and Windows Server 2008 R2
  • Windows Server 2003
Recommendations
  • Ensure that your Windows-based systems are fully patched. In particular, security update (MS17-010) should be applied.
  • Ensure that your anti-virus software is updated with the latest malware definitions
  • Perform file backups and store them offline so that it can be used to restore your system if an attack occurs
  • Block inbound connections on TCP Port 445
  • Disable all unrequired services
  • Monitor your systems for privilege escalation

References
http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/
https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/