Security News on Petwrap


On June 27, 2017, a new variant of Ransomware: Win32 / Petya was observed spreading in several countries. This is known as Petwrap / Petrwrap / Petya / NotPetya / Nyetya and the industry is debating if the ransomware is directly related to another known ransomware Petya.

The new variant added a worm-like capability that allows it to spread across affected networks. It was reported that the ransomware used phishing email to spread. It incorporated the attack method from the WannaCry ransomware targeting SMB v1.0 vulnerability. Once infected, the machine will spread via local network before it encrypts data on local machine.

HKCERT and Microsoft have published more details and recommend solutions to address this new variant of cyberthreat. The information links are provided below for easy reference. Companies should take action immediately to mitigate the risk.

The followings are actions recommended by HKCERT to address this threat:

  1. Apply latest Windows security update.
    Direct links for downloading patch for individual Windows versions are provided (exceptional Windows XP, Windows Server 2003 and Windows 8 patch also released):
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    (please scroll down to the bottom for details)

  2. Minimize the number of people with domain administrative privilege in your organization and use normal privilege accounts in daily operation.

  3. Ensure the personal firewall is on and blocks incoming SMB traffic (close TCP ports 139 and 445 technically).

  4. Ensure that anti-virus or Internet security application is installed, and have its signature updated.

  5. Perform offline backup (i.e. backup in another storage device, disconnect it after backup).

  6. Do not open links and attachment in any suspicious emails.

  7. Ensure that your computer have baseline protection, i.e. enable and run Windows Update, install anti-virus application with signature updated, enable Windows Firewall.

 

Useful links:

HKCERT Alert: Petwrap / NotPetya Ransomware Encrypts Victim Data
http://www.hkcert.org/my_url/en/alert/17062801

Microsoft Security Update about Win32/Petya
https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Petya

Microsoft Security Advices: Help prevent malware infection on your PC
https://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx

FireEye threat research blog about this attack wave:
https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html

 

If you will need more information or any help of our GTI Security Consultants, please contact us at inquiry@gti.com.hk or 2881 4800.