Petya Ransomware outbreak; Trend Micro shares an approach for enterprises to tackle it

An increasing number of companies across Europe, Ukraine, Russia, and the US are falling victim to another cyber attack after the outbreak of recent WannaCry ransomware attack. This large-scale ransomware attack is reported to be caused by a variant of the Petya ransomware and is currently hitting various users. The ransomware is known to use both the EternalBlue exploit and the PsExec tool as infection vectors and is detected as RANSOM_PETYA.SMA by Trend Micro.

“Similar to WannaCry ransomware, the Petya ransomware exploits SMB vulnerability, passing through SMB protocol, and exploits vulnerability which lies in Microsoft Operating System. To prevent the ransomware attack, firstly, companies should have proper segmentation of their network, most companies have horizontal network and there is no proper segmentation of network because of which the exploitation spreads very fast. The critical network and server should be properly segmented so that the penetration does not go beyond the segmentation of the network. Second thing is that companies must deploy host based intrusion firewall. They must enable firewall rule so that they can block the traffic coming from unknown sources. They also should make sure they patch the systems immediately,” said Mr. Nilesh Jain, Country Manager (India and SAARC), Trend Micro.

He further added, “Companies who have been impacted should segment their infected areas from the rest of the network, so that it doesn’t propagate further. The problem is that, these kinds of ransomware attacks keep on coming and you cannot keep on patching the moment the attack comes in. Our advice to the companies is to make sure that they have a proactive mechanism of protecting from the vulnerability and to deploy Trend Micro Deep Security which works in the same direction. Trend Micro also protects its customers against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen security. Also, our technical support representatives are constantly available to resolve customer queries and we are conducting webinars to create awareness among companies and individuals.”

Trend Micro discovered that this Petya variant uses an advanced method to extract information from the infected system. Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line (WMIC), which is an interface that simplifies the use of Windows Management Instrumentation (WMI).