Update on Petya malware attacks

As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release signatures to detect and protect against the malware.

Based on our investigation, the malware was initially delivered via a Ukrainian company’s (M.E.doc) update service for their finance application, which is popular in Ukraine and Russia. Once the initial compromise took hold, the ransomware used multiple tools in its arsenal to spread across impacted networks. If unpatched, the malware uses vulnerabilities CVE-2017-0144 and CVE-2017-0145 to spread across networks. Microsoft released MS17-010 in March that addressed the vulnerabilities exploited by Petya. If that technique was not effective, the malware uses other methods like harvesting of credentials and traversing networks to infect other machines. (read the Microsoft Malware Protection Center analysis here for more details.)

We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. If for some reason you cannot apply the update, we recommend a possible workaround to reduce the attack surface: disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547. In addition, consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks. For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running. Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.

The last few months has illustrated that in today’s threat landscape, cybercriminals will continue to alter their attacks and defending against this requires an equal amount of vigilance and effort. Microsoft is committed to working with partners and customers to combat the malicious efforts of these criminals.

We are continuing to investigate and will take appropriate action to protect customers.

Phillip Misner,

Principal Security Group Manager

More Resources:

MMPC blog: https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

Next-generation ransomware protections with Windows 10 Creators update: https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/

Microsoft Malware Encyclopedia post on Petya: https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya