Skip to main content
Uncategorized

Quick Protection from Petya

By June 30, 2017No Comments

Just a few quick words on the Petya ransomware as I am sure you have heard enough noise about it:

  • We still believe that it initially enters the network via a phishing email, SO CLEAN YOUR EMAIL WITH CDR
  • Do NOT pay ransom for this as it is unlikely you will be able to reach your attacker as their email accounts have been suspended
  • Even if you are patched against the EternalBlue exploit (MS-017-10), there is still likelihood of lateral propagation as it uses WMIC and PSEXEC to worm through the network.  You need to hunt down this malware immediately.
  • The malware looks for the presence of a specific file called “C:\Windows\Perfc” and it terminates if it exists. So it may be a good idea (for now) to create a dummy file with that name as a short-term protection.  Of course, until it morphs to something else.