News broke overnight about a ransomware attack that is hitting the Ukraine, Spain, and the United Kingdom. The ransomware is targeting government and commercial entities. It is also being reported that some large U.S. law firms have also been affected.
The ransomware is spreading either through phishing attacks or via the same Windows SMBv1 vulnerability that was responsible for the WannaCry ransomware spread. This ransomware is unlike others because it is able to access admin control and spread throughout all computers on the same network. It is highly likely that if one of your computers is infected, then all of the others will be too.
This new variation, Petya ransomware, encrypts the hard drive’s master file table on the infected computer and replaces the master boot record with malicious code that displays a ransom note. This is different from most malware that encrypt files on a targeted system individually.
Please see our recommendations below on how you can help prevent being hit by this ransomware.
Our Recommendations
- Ensure spam filters are configured to block .scr, .bat, and macro-enabled Microsoft Office documents.
- Apply the latest security updates from Microsoft and install future updates as soon as they are released.
- Disable SMBv1 via Group Policy Objects (GPO), if possible.
- Block port 445 using a hard firewall rule, in addition to blocking third parties with direct network access from port 445 access, to prevent the worm from tunneling from a partner’s network.
- Disable remote desktop on internal machines (RDP), if possible.
- Configure IDS and IPS systems to look for the signatures provided by the FBI, CERT, and other authorities relevant to WannaCry.
- Do not open attachments in emails from senders you don’t know.
- Block inbound Microsoft Office document attachments that contain macros; and
- Enable the “Show file extensions” option on your computer. This will make it much easier to identify malicious files. Do not open files with extensions such as “.exe,” and “.vbs.
If you think your computer has been hit with the Petya ransomware, stop using your computer immediately and disconnect from the network.
If you would like an independent audit of your system conducted or if you have any questions, please contact your account manager, primary engineer or reply to this email.
Thank you for being a technology partner with Entec Systems. We will keep you posted of any changes.
My Best,
Anthony M Ennas
President