Kurt Shintaku's Blog

UPDATE 6/29/17:
Guidance from support below updated with more recent content.

—-

ORIGINAL POST 6/28/17:
The recent outbreak known commonly as the Petya Ransomware, has been addressed by Microsoft in several areas.

MICROSOFT MALWARE PROTECTION CENTER: PETYA RANSOMWARE ANALYSIS
The Microsoft Malware Protection Center (MMPC) wrote a really exhaustive article on the new Petya Ransomware on their blog.

The post covers:

• Delivery and installation
• Multiple lateral movement techniques
• Lateral movement using credential theft and impersonation
• Lateral movement using EternalBlue and EternalRomance
• Encryption
• Detection and investigation with Windows Defender Advanced Threat Protection
• Protection against this new ransomware attack
• Resources
• Indicators of Compromise

If you’re interested in background on the malware, this is really good post to read:

• BLOG: New ransomware, old techniques: Petya adds worm capabilities
  https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

MICROSOFT SECURITY RESPONSE CENTER: UPDATE ON PETYA MALWARE
The Microsoft Security Response Center has written a post to address Petya, based on their own investigation.

The MSRC talks about it’s origins, initial targets, what previous security patch addresses the vulnerability it leverages, and general guidance around the malware – including protection technologies to leverage in the future.

• BLOG: Update on Petya malware attacks
  https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/

ENTERPRISE CUSTOMER GUIDANCE
The following was disseminated to our customers with Premier Support contracts.

Background
Microsoft’s antivirus software detects and protects against this ransomware. Our initial analysis found that the ransomware uses multiple techniques to spread, including ones which were addressed by a security update (MS17-010) previously provided for all platforms from Windows XP to Windows 10. We are continuing to investigate, and our support teams are fully mobilized and engaged globally to help any impacted customers.

Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/Petya. Ensure you have a definition version equal to or later than:

• Threat definition version: 1.247.197.0
• Version created on: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)
• Last Update: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)

In addition, the free Microsoft Safety Scanner http://www.microsoft.com/security/scanner/ is designed to detect this threat as well as many others. If you use a solution from an antivirus provider other than Microsoft, please check with that company.

New guidance from the MMPC Blog
On Tuesday June 27, 2017, the Microsoft Malware Protection Center (MMPC) released a detailed analysis of the Petya Ransomware attack in a new blog post:

• Microsoft Malware Protection Center Blog:
  ​New ransomware, old techniques: Petya adds worm capabilities

This MMPC blog provides the most cogent and detailed analysis available on how the malware works and guidance for network administrators and security professionals concerning how to mitigate against specific attack methods.

New guidance from the MSRC Blog
On Wednesday June 28, 2017, the Microsoft Security Response Center (MSRC) released a new blog post to provide additional insights and guidance customers can use to improve protections in the enterprise:

• Microsoft Security Response Center Blog:
  ​Update on Petya Malware Attacks

Recommendations from the MSRC blog include:

• If for some reason you cannot apply the update, a possible workaround to reduce the attack surface is to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547.
• Consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks.
• For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running.
• Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.

New guidance from the Azure Security Center Blog
On Wednesday June 28, 2017, the Microsoft Azure Security Center released a new blog discussing ​measures that Azure customers can take to prevent and detect Petya malware through Azure Security Center:

• Azure Security Center​ Blog:​ 
  Petya ransomware prevention & detection in Azure Security Center​​

Recommendations
In addition to the recommendations we included in our previous alert on Tuesday, we strongly recommend reviewing the information provided in these blogs for specific steps you can take to mitigate against Petya Ransomware.

Additional Resources

• Microsoft Security Bulletin: MS17-010 – Security Update for Microsoft Windows SMB Server (4013389)
• KB2696547 – How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Whitepaper: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, v1 and v2
• Windows Defender Advanced Threat Protection
• Windows IT Center: Device Guard Deployment Guide for Windows 10 and Windows Server 2016
• The Microsoft Security Tech Center: https://technet.microsoft.com/en-us/security/default
• The Microsoft Security Update Guide: http://aka.ms/securityupdateguide

Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative