Just a few quick words on the Petya ransomware as I am sure you have heard enough noise about it:
- We still believe that it initially enters the network via a phishing email, SO CLEAN YOUR EMAIL WITH CDR
- Do NOT pay ransom for this as it is unlikely you will be able to reach your attacker as their email accounts have been suspended
- Even if you are patched against the EternalBlue exploit (MS-017-10), there is still likelihood of lateral propagation as it uses WMIC and PSEXEC to worm through the network. You need to hunt down this malware immediately.
- The malware looks for the presence of a specific file called “C:\Windows\Perfc” and it terminates if it exists. So it may be a good idea (for now) to create a dummy file with that name as a short-term protection. Of course, until it morphs to something else.
