On Jun. 27th, 2017, The Petya ransomware is receiving worldwide attention by attacking the governments, banks, electrical systems, communication systems, enterprises, and airports in several countries.
The attacking virus is the Petya ransomware variant, which spreads through combinations of the email, downloader and the worm. It exploits a vulnerability (CVE-2017-0199) through the RTF attachment in the emails. By releasing the downloader to obtain the host virus, it can form the initial nodes. After that, the virus spreads via the MS17-010 (EternalBlue) exploit and weak system passwords.
When the infection is done, it will encrypt the files with specific suffix, modify the MBR, add task schedules, and shut down the computer after waiting for a while. When the users restart their computers, the extortion information will be shown, asking the users to pay the bitcoin valued 300USD as the ransom.
The Hillstone anti-ransomware solutions offer you the real-time multilayered protection
In the phase of investigation and vulnerability exploitation:
- Intrusion Prevention System (IPS) – The Hillstone network intrusion prevention system is equipped with feature detection for MS17-010. You can detect and defend the malicious traffic by enabling 1905385, 1905387, 1905388, 1905389, 1905390 rules.
In the phase of virus delivery:
- Anti-Virus – The Hillstone anti-virus signature library includes the Petya signature. Users can turn on the anti-virus function, especially the email protocol filter, and update the latest anti-virus signature library for detection and defense.
- Cloud Sandbox – The Hillstone Cloud Sandbox can detect Petya and its variants. Users can detect the Petya and its variants by enabling Cloud Sandbox function.
In additional to the protection methods mentioned above, user should also conduct these security measures:
- Be cautious about the phishing emails: Do not open email with unknown attachment, or unknown links without confirming their legality and authenticity.
- Strengthen user passwords: Eliminate null passwords or weak passwords in your systems and always use high-strength passwords instead.
In summary, Hillstone Networks’ layered threat protection continuously monitor and track Petya ransomware and its variants, and provide effective defense against it using different protection mechanisms including blocking the EternalBlue vulnerability (MS17-010) using IPS rules, interdict the ransomware downloads using anti-virus and Sandbox on premises and in the cloud.