The NHS is only beginning to recover and now one of the world's biggest cyber-attacks has disabled computer systems across Russia, Britain and the US yesterday, freezing government departments, disrupting oil and shipping companies and restricting radiation checks at the Chernobyl power plant.
The attack came just hours after Sir Michael Fallon, the defense secretary, said that Britain was ready to use airstrikes or troops in the event of a hack that threatened the country. "The price of an online attack could invite a response from any domain - air, land, sea or cyberspace", he told the security conference.
This may feel like a public service announcement from 2 Circles due to the widespread and severe nature of this attack.
What We Know:
"Petya" Ransom-ware is a major attack targeting Microsoft Windows systems and is affecting large and small companies and systems alike, many of them critically, on a global scale.
This new ransom-ware variant is spreading rapidly across the globe at the time of writing. There is not much in the way of consensus yet in the security research community, as such the following information is only provisional in nature:
"Petya" is exploiting a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also exploits a vulnerability in SMBv1 which is the Microsoft file-sharing protocol. This second vulnerability has been dubbed Eternal blue and is described in Microsoft security bulletin MS17-010.
The ransom-ware has affected a large number of individuals, companies, organisations and government entities on an global scale.
Behavioural analysis has been provided in the YouTube video below.
What To Do:
If you have not already done so already, immediately install the MS17-010 patch from Microsoft.
If you currently run an un-patched Windows system, you may not have time to patch it before you are infected. Consider shutting down your machine, if feasible, and leaving it off the network until there is consensus in the security research community on what this exploits and how to protect against it.
If you are technically able to, we recommend you block network access to port 445 on your Windows workstations. You may also want to monitor traffic to that port if you are a security professional.
Keep an eye on the Microsoft Security Response Center where they will hopefully release formal guidance soon.
Update your anti-virus definitions and run a scan on your system.
We at 2 Circles use Cylance and are protected by it, we find it a remarkable AV and would be happy to talk to anyone about it. We can also put you in contact with some very very clever security people that can offer advice for free!
03456 200 200 is our number if you would like to speak with someone.
You can find out which anti-virus products are detecting the current variant of Petya on this VirusTotal page.
The link is for the files involved in the infection. The page shows which AV vendors are currently detecting this file. NB: The green check marks at the bottom of the list mean the file is NOT detected by that AV vendor (it’s counter intuitive). Please note that currently Windows Defender is not detecting this Ransomware.
Cylance Prevents Petya-Like Ransomware Overview A new ransomware outbreak has been rapidly propagating across computer networks globally, starting earlier in the afternoon (UTC) today on June 27. Before explaining the details of this latest outbreak, rest assured that CylancePROTECT® customers are fully protected from this threat, and have been since October 14, 2015 with our 1310 model release. The new Petya-like attack demonstrates the benefit of our temporal predictive advantage, which enables CylancePROTECT to block this new ransomware threat without an update. Watch Cylance protect against this new Petya-like ransomware here:
https://www.cylance.com/en_us/blog/cylance-prevents-petya-like-ransomware.html