Petya - the latest wave

27 June 2017

A new wave of the combined Petya and Mischa ransomware variation, also known as ‘Goldeneye’, has been affecting a significant number of organisations across a wide range of industries since Tuesday 27 June. Many victims have already been observed, including multiple entities within Ukraine, Spain, Netherlands and the UK. This is reminiscent of the May 2017 WannaCry outbreak, which also had worldwide reach, compromising a similarly broad range of organisations at speed.  

Petya is known for its unusual encryption method, which seeks to encrypt data at a more basic level, preventing the machine from booting. Petya and Mischa work in tandem, so that if administrator privileges are unable to be obtained via the Petya malware, encryption can still occur using the more typical ransomware approach of encrypting at the file level.

Our earlier advice in response to the WannaCry attack continues to apply to this new wave, despite differences in the technical elements of the ransomware.

PwC WannaCry advice can be found here: http://bit.ly/2qdgWau

PwC never recommends paying a ransomware - unless there is a threat to life. Doing so fuels the ransomware economy, funding development of additional ransomware techniques and campaigns.

For any enquiries on how to best prevent or address ransomware or other cyber-attacks, please contact: breachaid@uk.pwc.com

We have released a report to PwC customers containing more technical detail and recommendations about this ransomware. Please feel free to email us at threatintelligence@uk.pwc.com and we will be happy to send you a copy.

------------------------

Ransomware is an increasingly prevalent threat, with a rising number of variants designed to target corporate networks. In spite of this, there are many pragmatic steps which organisations can take to reduce the likelihood of incidents, limit their impact when one does occur, and to recover swiftly and effectively. These span several aspects of IT operations and security, and primarily relate to:

  • Robust business continuity planning and exercising and the ability to restore systems rapidly from backups;
  • Crisis and incident response planning and exercising to ensure incidents are managed and resolved swiftly;
  • Strong security hygiene policies and user awareness to prevent ransomware entering your IT environment through both technical controls and vigilant employees; and
  • Rigorous patch and vulnerability management ensuring you make effective use of work already done to address vulnerabilities.

Priority recommendations for management and IT colleagues to consider, subject to also considering the operational impacts of making these changes, are:

  • Provide your desktop and server IT operations teams with all the support they need to rapidly deploy Microsoft’s April and May security updates, along with MS17-010;
  • Accept that addressing issues may require temporary disruption to some IT services as additional controls are implemented and vulnerable services disabled. For example, disabling the SMBv1 protocol and the ability to execute unsigned macros in Office documents, and enabling two factor authentication for all external access to systems (e.g. VPN and RDP).
Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.