Following the recent WannaCry/pt ransomware attack, a new “.next” variant leveraging Petya ransomware emerged globally on Tuesday, June 27, 2017 starting in the Ukraine and spreading to millions of potentially affected people around the world.
Machines that are up-to-date with Microsoft patching have a low probability of exposure. Unfortunately, this attack includes the ability to leverage one vulnerable machine on a network and propagate to other machines that were actually current. Kaseya recommends a multi-level approach to minimize and contain the threat.
Immediately run a full Discovery to ensure any unmanaged machines are found (i.e. a client has recently added to the network and agents need to be distributed).
Bring all machines current with Microsoft patching. The following script includes Microsoft updates through June and is available on Kaseya Automation Exchange
Disable the protocol that enables propagation to patched machines. Kaseya has created the following to aid in terminating the protocol. It is available on Kaseya Automation Exchange https://automationexchange.kaseya.com/products/401
Confirm Discovery is set to scan regularly. Kaseya best practice is 1x per week-month depending on network size. If any assistance is needed, please log a support ticket at helpdesk.kaseya.com.
Kaseya is working together with the top cyber security experts to contribute to the solution and defend against its spread to help protect our customers. Several of our security partners are reporting containment. Kaseya works with a variety of respected AV/AM providers and recommends customers to work with our trusted products and alliance partners.
This situation is ongoing, we continue to monitor it as it evolves. Please follow this thread for updates.
Good Evening Tracy
Unfortunately your advice wont work, the malware does not rely on SMBv1 to spread, it executes using PSexec.
Im just in the process of researching and building a procedure myself.
Thanks Paul! You make a correct point regarding the spread. We would love your script when you have it and we'll help get it on automation exchange for the community.
SMBv1 is the source of the infection. Microsoft is also recommending to disable, so it doesn't hurt to also do this.
We encourage all the Kaseya community to share. We will be making posts here as well.
I guess the more correct way to say things is that once it's infected one machine in your network it spreads using more than just the SMBv1.. However if you take action on all of the machines on your network before it's infected then disabling SMBv1 can help prevent it from spreading *to* your network. As with anything in the Network Security realm nothing is 100% effective short of unplugging the machines from the network and power.
You might wanna read this: www.bleepingcomputer.com/.../vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak
Our latest Upstream Kaseya Power Pack got this in the Agent Procedures section. Look for "Security - Windows - Enable Petya Vaccine"
Here you go guys just applied it on all pc's www.bleepingcomputer.com/.../vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak
A lot of great stuff! There is a great reddit thread on the topic which is being updated:
There is also a vaccine which I believe Ronny Johnsen has referred to above as well.
The article of reference for the Vaccine is here:
I downloaded the scripts from Kaseya Automation Exchange, which have been testing great so far. I added my own little touch to them and created a report to supplement the script.
Kaseya Automation Exchange Scripts (with slight modifications):
Downloaded via dropbox.
Vaccine Script (Noticing different behaviors depending on OS):
No worries, there was some mis-information doing the rounds last night
I would of followed up with the procedure, but the thread was moderated. I can now see others, have now posted the solution, I suspect Ronny/Upstream's procedure is very similar below.
What is ransomware?
Ransomware is a type of malware that blocks access to a computer or its data and demands money to release it. any organizations in Europe and the US have been crippled by a ransomware attack known as “Petya”. The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.
How does the “Petya” ransomware work?
The ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cybersecurity company Proofpoint.
Is there any protection?
Most major antivirus companies like Comodo, now claim that their software has updated to actively detect and protect against “Petya” infections: Install the best endpoint security suite that is feature-full with next-gen techniques and solutions accommodating a robust antivirus software, firewall and endpoint security solutions.
One note, I found that to get Oscar Romero's procedure to work I had to add " -Type File" to the end of the powershell command.
When you said "Bring all machines current with Microsoft patching. The following script includes Microsoft updates through June and is available on Kaseya Automation Exchange"... where is this exactly? I'm not finding it on KAE.
Thank you for your response. I am assuming this is in regards to the vaccine script? If so, could you share the latest edit?
It seems like a good time to note that disabling SMB1 will kill a LOT of scanners scan to folder functionality. Have a plan in place for this. Many scanners require either firmware updates or manual configuration via telnet in order to enable SMB2 if it's even available on that model (so many MFP scanners seem to be immortal)
Ronny Tunfjord I have downloaded the Powerpack, and found your procedure for the vaccine. How does this vaccine work to prevent infection?
The malware code, tests for the existence of particular file, if the file exists the program exits prior to running the encryption. Its likely the original malware author put this in, for testing on his own machines.
The "vaccine" basically creates this same file.