Petya or ExPetr Ransomware Attack – used modified EternalBlue and EternalRomance exploits

Posted by Geraldine Hunt on Wed, Jun 28th, 2017

Tuesday the 27th of June 2017 saw a major global cyber-attack using ransomware. TitanHQ analysts are investigating the new wave of ransomware attacks targeting organizations across the world.  Initial findings from our AV provider Kaspersky suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality.  Kaspersky have named it "ExPetr".

This appears to be a complex attack, which involves several vectors of compromise. We can confirm that modified EternalBlue and EternalRomance exploits - which were used during WannaCry ransomware attack in May - are used by the criminals for propagation within the corporate network. Kaspersky identifies the threat as one of DangerousObject.Multi.Generic, Trojan-Ransom.Win32.ExPetr.a, Trojan-Ransom.Win32.ExPetr.gen, Trojan.Win32.Generic, Exploit.Win32.Generic.
 

SpamTitan Protection

Customers using SpamTitan are protected against all the recent variants of this ransomware.  Our antivirus service is blocking this attack and we are working closely with our providers to ensure optimal protection. TitanHQ has detected the initial infection using the Kaspersky cloud protection feature.

What should you do?

• We advise all organizations to update their Windows software: Windows XP and Windows 7 users can protect themselves by installing MS17-010 security patch.
• We also advise all organizations to ensure they have backups in place.  Use the 3-2-1 back up method. Proper and timely backup of your data may be used to restore original files after a data loss event.
• Ensure all  AV protection mechanisms are activated as recommended
• Avoid opening attachments in emails  you aren’t expecting or from recipients you don’t know.

Layers of Security

Organizations today need layers of security so that an email message that gets through the firewall will get stopped by the mail server’s antispam and antivirus. If it makes it through that, then it should be stopped by the endpoint antivirus.  If malware makes it onto on the workstation, it should be detected when it start operating suspiciously.  

Layered security solutions like SpamTitan and WebTitan can block dangerous websites, including harmful links found in websites, social networks and emails to protect against viruses, phishing, ransomware and other online threats.

Patch, Reply, Mitigate

In the case of ransomware, backups are key as is patching your systems regularly. The problem is organisations can't always roll out updates the day they're available since they need to test the changes and make sure they won't break anything.  It is crucial for IT teams to build redundancy into the infrastructure, so one system can be down for patching while a different system handle the load during that time.

IT teams must have a plan to prioritize security updates or have safeguards in place for those that can't be patched. The one certainty of ransomware is that it is evolving all the time. In January this year alone, over 37 new ransomware variants appeared including, F Society, CyberHub, Spora, Marlboro, and Dark OverLord to name just a few. With so many different strains circulating, the precautions remain the same. Organizations should maintain backups, use effective email and web security, and crucially treat spam as a serious carrier of malware rather than a nuisance.

The numbers affected in recent ransomware attacks clearly show how companies are ignoring or not prioritizing patching. Did you apply all your patches after the WannaCry outbreaks? Were you hit by ExPetr? 

Are you an IT professional that wants to ensure sensitive data and devices are protected?  Talk to a specialist or  email us at info@titanhq.com with any questions.