Posted by: kurtsh | June 28, 2017

INFO: Microsoft’s Advisory/Guidance re: Petya Ransomware

imageUPDATE 6/29/17:
Guidance from support below updated with more recent content.


The recent outbreak known commonly as the Petya Ransomware, has been addressed by Microsoft in several areas.

The Microsoft Malware Protection Center (MMPC) wrote a really exhaustive article on the new Petya Ransomware on their blog.

The post covers:

  • Delivery and installation
  • Multiple lateral movement techniques
        • Lateral movement using credential theft and impersonation
        • Lateral movement using EternalBlue and EternalRomance
  • Encryption
  • Detection and investigation with Windows Defender Advanced Threat Protection
  • Protection against this new ransomware attack
  • Resources
  • Indicators of Compromise

If you’re interested in background on the malware, this is really good post to read:

    The Microsoft Security Response Center has written a post to address Petya, based on their own investigation.

    The MSRC talks about it’s origins, initial targets, what previous security patch addresses the vulnerability it leverages, and general guidance around the malware – including protection technologies to leverage in the future.

      The following was disseminated to our customers with Premier Support contracts.

      Microsoft’s antivirus software detects and protects against this ransomware. Our initial analysis found that the ransomware uses multiple techniques to spread, including ones which were addressed by a security update (MS17-010) previously provided for all platforms from Windows XP to Windows 10. We are continuing to investigate, and our support teams are fully mobilized and engaged globally to help any impacted customers.

      Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/Petya. Ensure you have a definition version equal to or later than:

      • Threat definition version:
      • Version created on: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)
      • Last Update: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)

      In addition, the free Microsoft Safety Scanner is designed to detect this threat as well as many others. If you use a solution from an antivirus provider other than Microsoft, please check with that company.

      New guidance from the MMPC Blog
      On Tuesday June 27, 2017, the Microsoft Malware Protection Center (MMPC) released a detailed analysis of the Petya Ransomware attack in a new blog post:

      This MMPC blog provides the most cogent and detailed analysis available on how the malware works and guidance for network administrators and security professionals concerning how to mitigate against specific attack methods.

      New guidance from the MSRC Blog
      On Wednesday June 28, 2017, the Microsoft Security Response Center (MSRC) released a new blog post to provide additional insights and guidance customers can use to improve protections in the enterprise:

      Recommendations from the MSRC blog include:

      • If for some reason you cannot apply the update, a possible workaround to reduce the attack surface is to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547.
      • Consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks.
      • For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running.
      • Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.

      New guidance from the Azure Security Center Blog
      On Wednesday June 28, 2017, the Microsoft Azure Security Center released a new blog discussing ​measures that Azure customers can take to prevent and detect Petya malware through Azure Security Center:

      In addition to the recommendations we included in our previous alert on Tuesday, we strongly recommend reviewing the information provided in these blogs for specific steps you can take to mitigate against Petya Ransomware.

      Additional Resources

      Regarding Information Consistency
      We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative


        %d bloggers like this: