Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Petya or NotPetya – External Blue MS17-010 hits again

Petya or NotPetya – External Blue MS17-010 hits again

Author:


28.06.2017

No matter the attack is original Petya worm or it’s modified version (already called NotPetya), the fact is that it hits biggest brands starting at Ukraine government, Chernobyl power station continuing with Raben, Maersk or St Gobain. So yes, it is disruptive. What we know so far and how we can try to prevent if we have not been hit yet?

  1. First signs is CHKDSK message
Petya Ransomware Encrypt

Petya Ransomware Encrypt using CHDSK

If you see this message, switch off your computer immediately! Don’t try to switch on again. Petya needs the restart to finish. Later you could attach your disk to external computer to retrieve your data.

You can also see such variant of this image:

Petya Encrypting Disk modified

Petya Encrypting Disk – modified screen

If you see this message, switch off your computer immediately as well!

The first two were for already infected OS.

 

We have read from researchers that to prevent malware from start, you can create a kill switch file that if the worm sees it will stop proceeding (like was with kill switch domain of WannaCry)

Kill switch file: C:\Windows\perfc

 

Also we have heard from infected administrators that computers with Windows 10 kb4019472 are resistant – not 100% confirmed yet!

And now, something original from Grandmetric.. Because Petya or NotPetya uses PSEX and WMIC tools to spread and these tools uses TCP 445 and TCP 135 accordingly (Windows Domain environment) and additionaly infected hosts still scans the subnet, try to stop the scanning and:

  1. Step 1: if using firewall inside the network and not using SMB, block 445 and 135 TCp with the ACL or Firewall rule
  2. Step 2: if not using firewall try to drop 445 and 135 traffic with VLAN ACL:
POD1_SW1(config)#access-list 100 deny tcp any any eq 135
POD1_SW1(config)#access-list 100 deny tcp any any eq 445
POD1_SW1(config)#access-list 101 permit ip any any

POD1_SW1(config)#vlan access-map STOP_PETYA 5
POD1_SW1(config-access-map)# action drop
POD1_SW1(config-access-map)# match ip address 100
POD1_SW1(config)# vlan access-map STOP_PETYA 10
POD1_SW1(config-access-map)# action forward
POD1_SW1(config-access-map)# match ip address 101

POD1_SW1(config)#vlan filter STOP_PETYA_FILTER vlan-list 20

 

I hope this will have no effect in your example, but it is worth to mention before it’s to late!

Stay connected, we will update this post as soon as we had more info!

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!


Grandmetric