Petya & NotPetya Ransomware %$&#!!

[Matticus91]

Anyone else an IT professional? If you're looking for info on this here's some that might help...

There’s another ransomware virus going around – started in Holland and Ukraine this morning and has jumped to the US since, already reports in local businesses including a large hospital in PA. It’s primarily spreading by sending emails with either a Word doc or a .scr executable file using notepad and then trying to auto-run macros online. These are some precautions that can be taken to help prevent the attack:


Block ADMIN$ via GPO to stop lateral movement on WMI and PSEXEC

There are a few killswitches being tested but non confirmed 100%: Create files with no extension in %windir% named perfc and perfdec

That MAY halt the virus, but remains unconfirmed.


MS Patch that resolves the attack vector (as listed CVE-2017-0199): https://support.microsoft.com/en-us/...-april-11-2017

More details on CVE-2017-0199: https://www.fireeye.com/blog/threat-...a-handler.html

Other measures:
• Adjust spam filter to block the following extensions
o Scr
o Js
o Vbs
o Exe
• Block .zip if possible
• Ensure AV is up-to-date and running

Github link with lots of good info: https://gist.github.com/vulnersCom/6...4c176baba45759

Godspeed to anyone not on top of this.

Edit:

Cisco you bunch of cheeky fuckers you (see attached lol)

[Matticus91]

Also https://ransomfree.cybereason.com/ may or may not help here, no confirmations yet but can't hurt

[UncleWede]

I made an appt for PA to review my firewall with me, but not until next week. Backups are running well at this point. AV is up to date on all devices. Printing out that list of machines that have more than 10 updates left from WSUS and making personal visits.

[c1pher]

The vulnerability associated with this has already been patched. Just keep your $h1t updated an you'll be fine. Report after report including my own internal stats illustrate that 90-95% of these hacks can be prevented with already existing tools. Good passwords, AV and updated software take care of almost everything. It can be more complicated than that in an enterprise, but at home, not so much.

[zx10guy]

If you're dealing with enterprise level systems, getting a heuristic based security solution is key here. Using signature based security solutions will not provide the necessary protections. For end point/client protection, I've been recommending Cylance. Here's a blog they put out about Petya:

https://www.cylance.com/en_us/blog/c...ampaign=buffer

[Matticus91]

Quote:

Originally Posted by MGM135is

The vulnerability associated with this has already been patched. Just keep your $h1t updated an you'll be fine. Report after report including my own internal stats illustrate that 90-95% of these hacks can be prevented with already existing tools. Good passwords, AV and updated software take care of almost everything. It can be more complicated than that in an enterprise, but at home, not so much.

100% true, and yes I'm dealing with this in an enterprise situation with global deployments that rarely hit HQ for updates

[UncleWede]

I'm still waiting on a quote for TRAPS, to leverage my WildFire from PA. I'm still a bit worried about putting all my eggs into one basket though.

End users are so difficult to persuade to do their updates. <whining> "But, it takes time" </whining>

Not half as long as if you infect your computer, the network, and I have to rebuild both.

[Blacross]

best investment we ever made was using mimecast for sandboxing email attachments. happy sys admin here

[Wolf 335]

Once infected is there absolutely no way of gaining access to your files without paying?

[Matticus91]

Quote:

Originally Posted by Blacross

best investment we ever made was using mimecast for sandboxing email attachments. happy sys admin here

'

We switched from MXlogic to MC this year when MX was ending, great system.

Quote:

Originally Posted by Wolf 335

Once infected is there absolutely no way of gaining access to your files without paying?

There's pretty much no way even if you do pay, the chances of actually getting your shit back is essentially zilch.

Your best bet if you DO get infected is to turn your shit off, pull out your hard drive, try to recover your files using a machine you don't care about, scrub that shit, and hope for the best.

Otherwise, just make a backup ahead of time and wipe/restore.

[NoGuru]

We are getting updates about this and Wannacry daily. We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.

[Matticus91]

Quote:

Originally Posted by NoGuru

We are getting updates about this and Wannacry daily. We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.

Fingers crossed for you mate, 110k employees is a scary number haha. If everyone is patched up and you've done your proper prep work you should be ok. At the very least doing some GPO blocking with admin$ would prevent any lateral movement and keep things isolated.

[335e92tx]

Good effort -

Quote:

Originally Posted by Matticus91

Anyone else an IT professional?

Not anymore - retired after 33yrs..

G/L

It wont get any better...

Quote:

Originally Posted by NoGuru

We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.

G/L to u 2.

I used to be an ISO for 6K users that were both geographically dispersed and had no central policy mgmt..
See above about retired ;-)

[NoGuru]

Quote:

Originally Posted by Matticus91

Fingers crossed for you mate, 110k employees is a scary number haha. If everyone is patched up and you've done your proper prep work you should be ok. At the very least doing some GPO blocking with admin$ would prevent any lateral movement and keep things isolated.

Unfortunately I cannot manage GPO's, I can only deploy software and patch's.
We have done a lot to prevent this but you never know what is going to get through.
I like the Cisco add when searching for Petya,

[UncleWede]

So, the last major infection that ran thru the network shares; 1 GUESS who thought his computer sandboxing would make it safe to open that attachment he KNEW was viral, just out of PROFESSIONAL curiosity.

I was supposed to cruise down the coast to Neptune's Net for a retirement party for an old friend. Didn't make it . . .

[davis449]

Quote:

Originally Posted by Matticus91

100% true, and yes I'm dealing with this in an enterprise situation with global deployments that rarely hit HQ for updates

Enterprise level here as well, same situation...

[Blacross]

since there's a bunch of IT people in this thread I'll throw it out there that I'm looking to move somewhere warmer all year (Texas, NC, Florida, etc)

I have 20 years experience and I'm looking for something at a senior level systems admin or IT management. I have the usual cisco certs, security certs and I'm a certified penetration tester.

So if anyone is hiring I'd love the lead.

[zx10guy]

Quote:

Originally Posted by Blacross

since there's a bunch of IT people in this thread I'll throw it out there that I'm looking to move somewhere warmer all year (Texas, NC, Florida, etc)

I have 20 years experience and I'm looking for something at a senior level systems admin or IT management. I have the usual cisco certs, security certs and I'm a certified penetration tester.

So if anyone is hiring I'd love the lead.

If you don't mind working for the Federalis, US CERT has a location in Florida. US CERT is under DHS/NPPD. You might want to look on USA Jobs to see if there are any openings there.

[Sidewinderpb]

Quote:

Originally Posted by Wolf 335

Once infected is there absolutely no way of gaining access to your files without paying?

Once encrypted, yeah. But the guys behind it were supposedly reviewing each payment confirmation manually, and the email account that victims were supposed to send payment confirmation to has been shut down...so you're probably screwed even if you pay.

One of our clients is headquartered in the Ukraine, and all of their computers have been encrypted. I'm no IT expert, but I think this still boils down to stupid people clicking on stupid things.

[UncleWede]

Quote:

Originally Posted by Sidewinderpb

I'm no IT expert (but I did stay at a Holiday Inn Express last night), but I think this still boils down to stupid people clicking on stupid things.

FTFY

So, really what you are saying is that if I get an email saying that's Joe's Pest Service has an invoice for $485.77 in my name, I shouldn't click on the link to see the bill that goes to some random website that doesn't even have the word "Joe" in it???

[Sidewinderpb]

Quote:

Originally Posted by UncleWede

FTFY

So, really what you are saying is that if I get an email saying that's Joe's Pest Service has an invoice for $485.77 in my name, I shouldn't click on the link to see the bill that goes to some random website that doesn't even have the word "Joe" in it???

Well, yeah...it's both a hotel and a motel. No better place for an avid blacklighter such as myself.

Frankly, I just want to know who this "Joe" is.