06-27-2017, 05:10 PM | #1 |
Brigadier General
3526
Rep 3,722
Posts |
Petya & NotPetya Ransomware %$&#!!
Anyone else an IT professional? If you're looking for info on this here's some that might help...
Theres another ransomware virus going around started in Holland and Ukraine this morning and has jumped to the US since, already reports in local businesses including a large hospital in PA. Its primarily spreading by sending emails with either a Word doc or a .scr executable file using notepad and then trying to auto-run macros online. These are some precautions that can be taken to help prevent the attack: Block ADMIN$ via GPO to stop lateral movement on WMI and PSEXEC There are a few killswitches being tested but non confirmed 100%: Create files with no extension in %windir% named perfc and perfdec That MAY halt the virus, but remains unconfirmed. MS Patch that resolves the attack vector (as listed CVE-2017-0199): https://support.microsoft.com/en-us/...-april-11-2017 More details on CVE-2017-0199: https://www.fireeye.com/blog/threat-...a-handler.html Other measures: Adjust spam filter to block the following extensions o Scr o Js o Vbs o Exe Block .zip if possible Ensure AV is up-to-date and running Github link with lots of good info: https://gist.github.com/vulnersCom/6...4c176baba45759 Godspeed to anyone not on top of this. Edit: Cisco you bunch of cheeky fuckers you (see attached lol)
__________________
"Tobias" 2013 135i ///M-Sport 6MT Pure Stage 1 XDI 35 HPFP 404whp/440wtq Last edited by Matticus91; 06-27-2017 at 05:15 PM.. |
06-27-2017, 05:11 PM | #2 |
Brigadier General
3526
Rep 3,722
Posts |
Also https://ransomfree.cybereason.com/ may or may not help here, no confirmations yet but can't hurt
__________________
"Tobias" 2013 135i ///M-Sport 6MT Pure Stage 1 XDI 35 HPFP 404whp/440wtq |
Appreciate
0
|
06-27-2017, 05:44 PM | #3 |
Long Time Admirer, First Time Owner
18454
Rep 9,428
Posts |
I made an appt for PA to review my firewall with me, but not until next week. Backups are running well at this point. AV is up to date on all devices. Printing out that list of machines that have more than 10 updates left from WSUS and making personal visits.
|
Appreciate
1
Matticus913525.50 |
06-27-2017, 07:48 PM | #4 |
Primo Generalissimo
5037
Rep 4,187
Posts
Drives: All of them
Join Date: Jun 2009
Location: DC area
iTrader: (0)
Garage List 2024 Ford Bronco Ra ... [10.00]
2018 Porsche 911 GTS [10.00] 2023 BMW M2 [9.25] 2022 Ford F-250 Tremor [8.50] |
The vulnerability associated with this has already been patched. Just keep your $h1t updated an you'll be fine. Report after report including my own internal stats illustrate that 90-95% of these hacks can be prevented with already existing tools. Good passwords, AV and updated software take care of almost everything. It can be more complicated than that in an enterprise, but at home, not so much.
|
Appreciate
1
Matticus913525.50 |
06-27-2017, 08:40 PM | #5 |
Brigadier General
5519
Rep 3,325
Posts |
If you're dealing with enterprise level systems, getting a heuristic based security solution is key here. Using signature based security solutions will not provide the necessary protections. For end point/client protection, I've been recommending Cylance. Here's a blog they put out about Petya:
https://www.cylance.com/en_us/blog/c...ampaign=buffer |
Appreciate
1
Matticus913525.50 |
06-28-2017, 09:59 AM | #6 | |
Brigadier General
3526
Rep 3,722
Posts |
Quote:
__________________
"Tobias" 2013 135i ///M-Sport 6MT Pure Stage 1 XDI 35 HPFP 404whp/440wtq |
|
Appreciate
0
|
06-28-2017, 10:29 AM | #7 |
Long Time Admirer, First Time Owner
18454
Rep 9,428
Posts |
I'm still waiting on a quote for TRAPS, to leverage my WildFire from PA. I'm still a bit worried about putting all my eggs into one basket though.
End users are so difficult to persuade to do their updates. <whining> "But, it takes time" </whining> Not half as long as if you infect your computer, the network, and I have to rebuild both. |
Appreciate
0
|
06-28-2017, 11:40 AM | #10 | ||
Brigadier General
3526
Rep 3,722
Posts |
Quote:
We switched from MXlogic to MC this year when MX was ending, great system. Quote:
Your best bet if you DO get infected is to turn your shit off, pull out your hard drive, try to recover your files using a machine you don't care about, scrub that shit, and hope for the best. Otherwise, just make a backup ahead of time and wipe/restore.
__________________
"Tobias" 2013 135i ///M-Sport 6MT Pure Stage 1 XDI 35 HPFP 404whp/440wtq |
||
Appreciate
0
|
06-28-2017, 11:42 AM | #11 |
Major
779
Rep 1,434
Posts
Drives: 335is
Join Date: Apr 2017
Location: MI
|
We are getting updates about this and Wannacry daily. We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.
__________________
2011 335is DCT BQ Tuning / BMS CAI / VRSF kittyless DP's / Synapse BOV and charge pipe / 7" VRSF Race FMIC / Walbro 535 and 450 on BMP4 / E90 tune / Diff Brace / PR Coils / Relocation Inlets / DAW Stage3+ Turbos / MMP port injection / xHP Stage 3 / FPR and -6 fuel lines
|
Appreciate
0
|
06-28-2017, 11:44 AM | #12 |
Brigadier General
3526
Rep 3,722
Posts |
Fingers crossed for you mate, 110k employees is a scary number haha. If everyone is patched up and you've done your proper prep work you should be ok. At the very least doing some GPO blocking with admin$ would prevent any lateral movement and keep things isolated.
__________________
"Tobias" 2013 135i ///M-Sport 6MT Pure Stage 1 XDI 35 HPFP 404whp/440wtq |
Appreciate
0
|
06-28-2017, 11:55 AM | #13 | |
ahat
1070
Rep 2,592
Posts |
Good effort -
Not anymore - retired after 33yrs.. G/L It wont get any better... Quote:
I used to be an ISO for 6K users that were both geographically dispersed and had no central policy mgmt.. See above about retired ;-)
__________________
'13 335IS N54 (1 of 373 LeMans Blue out of 3597 total production e92)- Grey interior (1 of 24 in LMB with any trans- 1 of 14 with DCT)-MODS -MFactory LSD/MHD-BQ custom Tune/ATM-IC/AFE Momentum GT Intake/Konis/Mfront&HeimJoint Rear rods&arms/Brembos. https://photos.app.goo.gl/Lo6aHZRo7XqtPkhL8 |
|
Appreciate
0
|
06-28-2017, 11:56 AM | #14 | |
Major
779
Rep 1,434
Posts
Drives: 335is
Join Date: Apr 2017
Location: MI
|
Quote:
We have done a lot to prevent this but you never know what is going to get through. I like the Cisco add when searching for Petya,
__________________
2011 335is DCT BQ Tuning / BMS CAI / VRSF kittyless DP's / Synapse BOV and charge pipe / 7" VRSF Race FMIC / Walbro 535 and 450 on BMP4 / E90 tune / Diff Brace / PR Coils / Relocation Inlets / DAW Stage3+ Turbos / MMP port injection / xHP Stage 3 / FPR and -6 fuel lines
|
|
Appreciate
0
|
06-28-2017, 12:38 PM | #15 |
Long Time Admirer, First Time Owner
18454
Rep 9,428
Posts |
So, the last major infection that ran thru the network shares; 1 GUESS who thought his computer sandboxing would make it safe to open that attachment he KNEW was viral, just out of PROFESSIONAL curiosity.
I was supposed to cruise down the coast to Neptune's Net for a retirement party for an old friend. Didn't make it . . . |
Appreciate
0
|
06-28-2017, 01:02 PM | #16 |
Captain
426
Rep 887
Posts |
|
Appreciate
0
|
06-28-2017, 02:01 PM | #17 |
Second Lieutenant
97
Rep 201
Posts |
since there's a bunch of IT people in this thread I'll throw it out there that I'm looking to move somewhere warmer all year (Texas, NC, Florida, etc)
I have 20 years experience and I'm looking for something at a senior level systems admin or IT management. I have the usual cisco certs, security certs and I'm a certified penetration tester. So if anyone is hiring I'd love the lead. |
Appreciate
0
|
06-28-2017, 02:26 PM | #18 | |
Brigadier General
5519
Rep 3,325
Posts |
Quote:
|
|
Appreciate
0
|
06-28-2017, 02:47 PM | #19 | |
Banned
329
Rep 1,739
Posts |
Quote:
One of our clients is headquartered in the Ukraine, and all of their computers have been encrypted. I'm no IT expert, but I think this still boils down to stupid people clicking on stupid things. |
|
Appreciate
0
|
06-28-2017, 02:56 PM | #20 | |
Long Time Admirer, First Time Owner
18454
Rep 9,428
Posts |
Quote:
So, really what you are saying is that if I get an email saying that's Joe's Pest Service has an invoice for $485.77 in my name, I shouldn't click on the link to see the bill that goes to some random website that doesn't even have the word "Joe" in it??? |
|
Appreciate
0
|
06-28-2017, 03:06 PM | #21 | |
Banned
329
Rep 1,739
Posts |
Quote:
Frankly, I just want to know who this "Joe" is. |
|
Appreciate
0
|
Post Reply |
Bookmarks |
Tags |
notpetya, petya, ransomware, virus |
|
|