Menu

Poland

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Sweden

Drottninggatan 86
111 36 Stockholm
+46 762 041 514
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

  • en
  • pl
  • se

    • Petya or NotPetya – External Blue MS17-010 hits again

    Home BlogSecurityInternet Edge SecurityPetya or NotPetya – External Blue MS17-010 hits again
    WLAN / Wireless LAN Security Explained

    Petya or NotPetya – External Blue MS17-010 hits again

    Date: 28.06.2017

    Author:
    0
    Category: Internet Edge Security, IP Networks, LAN Security, Secure connectivity, Security


    No matter the attack is original Petya worm or it’s modified version (already called NotPetya), the fact is that it hits biggest brands starting at Ukraine government, Chernobyl power station continuing with Raben, Maersk or St Gobain. So yes, it is disruptive. What we know so far and how we can try to prevent if we have not been hit yet?

    1. First signs is CHKDSK message
    Petya Ransomware Encrypt

    Petya Ransomware Encrypt using CHDSK

    If you see this message, switch off your computer immediately! Don’t try to switch on again. Petya needs the restart to finish. Later you could attach your disk to external computer to retrieve your data.

    You can also see such variant of this image:

    Petya Encrypting Disk modified

    Petya Encrypting Disk – modified screen

    If you see this message, switch off your computer immediately as well!

    The first two were for already infected OS.

     

    We have read from researchers that to prevent malware from start, you can create a kill switch file that if the worm sees it will stop proceeding (like was with kill switch domain of WannaCry)

    Kill switch file: C:\Windows\perfc

     

    Also we have heard from infected administrators that computers with Windows 10 kb4019472 are resistant – not 100% confirmed yet!

    And now, something original from Grandmetric.. Because Petya or NotPetya uses PSEX and WMIC tools to spread and these tools uses TCP 445 and TCP 135 accordingly (Windows Domain environment) and additionaly infected hosts still scans the subnet, try to stop the scanning and:

    1. Step 1: if using firewall inside the network and not using SMB, block 445 and 135 TCp with the ACL or Firewall rule
    2. Step 2: if not using firewall try to drop 445 and 135 traffic with VLAN ACL:
    POD1_SW1(config)#access-list 100 deny tcp any any eq 135
POD1_SW1(config)#access-list 100 deny tcp any any eq 445
POD1_SW1(config)#access-list 101 permit ip any any
    

    POD1_SW1(config)#vlan access-map STOP_PETYA 5
POD1_SW1(config-access-map)# action drop
POD1_SW1(config-access-map)# match ip address 100
POD1_SW1(config)# vlan access-map STOP_PETYA 10
POD1_SW1(config-access-map)# action forward
POD1_SW1(config-access-map)# match ip address 101
    

    

    POD1_SW1(config)#vlan filter STOP_PETYA_FILTER vlan-list 20
    

     
    

    I hope this will have no effect in your example, but it is worth to mention before it’s to late!
    

    Stay connected, we will update this post as soon as we had more info!
    
          
    
                    
    

          
    

            
    Tags: 
    , , , , , , , , , , 
              
    
                      
    
              
    Author
    
              
    
                
    
                  
    
                
    

              
    
              
    
                
    
                  
    Marcin Bialy
    
                  
    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.
    
                  
    
                    
    
                      
    
                        
                          
    
                            
    More Posts
    
                          
    
                            
                      
    
                    
    

                    
                    
                                          
    
                        
    
                          
                            
    
                              
    LinkedIn
    
                            
    
                              
                        
    
                      
    
                                      
    
                
    
              
    
            
    
          

          
             
    
     	
    
		
    Leave a Reply 
    Your email address will not be published. Required fields are marked *
    
        
    

    


     
    
        
    
								
    
                                
    
								
      
    
                                
                                
    	
    
	




        
    
        
    
                  
    
      
    
    
    
    
    
      
    

              
    
    
    
  
    

    







Grandmetric