Kaseya Community

Petya Ransomware Outbreak

  • Hi Oscan,

    Download the batch file from this link download.bleepingcomputer.com/.../nopetyavac.bat

    And upload in manage file in kaseya. Import this given below xml in procedure

    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="Vaccine for ransumware" treePres="3" id="1352279906" folderId="78142561546618186168117418" treeFullPath="myProcedures - pawan">

       <Body description="">

         <Statement name="GetVariable" continueOnFail="false">

           <Parameter xsi:type="EnumParameter" name="VariableType" value="AgentTempDirectory" />

           <Parameter xsi:type="StringParameter" name="SourceContent" value="" />

           <Parameter xsi:type="StringParameter" name="VariableName" value="tmp" />

         </Statement>

         <Statement name="WriteFile" continueOnFail="false">

           <Parameter xsi:type="StringParameter" name="Path" value="#tmp#\nopetyavac.bat" />

           <Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\nopetyavac.bat" />

           <Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" />

         </Statement>

         <Statement name="WriteScriptLogEntry" continueOnFail="false">

           <Parameter xsi:type="StringParameter" name="Comment" value="Batch file downloaded  on system" />

         </Statement>

         <Statement name="ExecuteShellCommand" continueOnFail="false">

           <Parameter xsi:type="StringParameter" name="Command" value="#tmp#\nopetyavac.bat" />

           <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

           <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

         </Statement>

         <Statement name="WriteScriptLogEntry" continueOnFail="false">

           <Parameter xsi:type="StringParameter" name="Comment" value="vaccine is installed on system" />

         </Statement>

       </Body>

     </Procedure>

    </ScriptExport>

  • Here's a copy of my updated procedure.  Works like a charm!

    www.dropbox.com/.../Procedure%20Petya%20Vaccine%20%28MS17-010%29.xml

  • : This is a piece of information that is appreciated. Can I ask about a helpdesk article that was created during the WannaCry issue? The following link:

    helpdesk.kaseya.com/.../115007466387-Identifying-and-Reporting-on-Machines-That-Do-Not-Have-Patches-Related-To-WannaCry-SMB-Vulnerability

    ...discusses how to run an Agent Procedure to determine if an agent is safe or not. That goes for WannaCry and now also for (Not)Petya that uses the same vulnerability. But the Agent Procedure uses WIndows version information that must have changed after the June patches, if I'm not mistaken. We did put together our own version, but it's difficult to do a really correct check and results between the two Agent Procedures are different. So, am looking for an update on the first Agent Procedure or a smart way to determine if any given system is sufficiently patched to withstand WannaCry or (Not)Petya issues....

  • Hi Eric,

    I was revising the Agent Procedure that was posted in the KB article and this is how the script works:

    The script sets an "Expected System Version" for each OS, which is the oldest, secure, system update to be considered as safe from Wanna Cry. It then gets the "Current System Version" and compare the two.

    If the Current system version is lower than the expected one, it is considered vulnerable, if it is equal or greater, it is considered safe.

    Therefore, the script does not really need an update as the way it was written makes it 100% compatible with Petya as they both use the same vulnerability, fixed in the same Rollup Windows Update of March 2017.

    We used this article https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed from Microsoft and modified their script in order to provide this Agent Procedure. 

  • - Thanks for clarifying this, I gathered as much, but wasn't sure about it.

    After the WannaCry outbreak we patched all our managed machines, but doing another check after the (not)Petya attack we found new machines deemed vulnerable and that was unexpected.

    We're investigating and if there's reason to doubt this procedure I'll update this thread..