Security Alert (A17-06-06): Defences against the "Petrwrap" Ransomware Attack


 

Published on: 28 June 2017

  
  

The recent worldwide ransomware attack named as "Petrwrap" is spreading wildly in Europe and has already affected many organisations including governments and public utilities. 

 

Similar to the “WannaCry” ransomware last month, this attack is targeting Windows-based computers and will propagate once a device is infected. From current information, Petrwrap spreads across the Internet by phishing emails or exploiting the same Server Message Block (SMB) vulnerability of the WannaCry attack and leveraging legitimate Windows functions including "Windows Management Instrumentation Command-line (WMIC)" and "PsExec” on patched systems on connected networks. The SMB vulnerability is fixed through the security patches as released in the Microsoft Security Bulletin MS17-010.

 

All Windows-based computers shall complete the patching of relevant security updates as advised in our previous alerts (A17-05-04 and A17-03-03) as soon as possible.  System administrators are also reminded to limit the use of WMIC and PsExec functions to authorised IT support staff only, considering that the usage of WMIC and PsExec requires domain administrator privileges. As the situation is still emerging, your step-up actions are called for to defense against the ransomware attacks and ensure that your computer would not be affected. Please act immediately to:

(a) Ensure proper backups of your data are in place and performed regularly;
(b) Keep all backups offline and in safe custody to prevent them from online attack or physical loss/theft;
(c) Check and keep the anti-malware program and signatures up-to-date;
(d) Apply any latest security patches released by Microsoft as soon as possible; and
(e) Refrain from opening any suspicious emails, attachments and hyperlinks.

 

If in any unfortunate case of infection, please disconnect the infected PC(s) from your network immediately and report the case to HKCERT (Tel: 8105 6060, email: hkcert@hkcert.org).


 

More Information:

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
https://securelist.com/schroedingers-Petrwrap/78870/

 



Tag: Windows , Microsoft
Tags