Skip to content

Home Special Announcement NotPetya/SortaPetya/Petya Ransomware
NotPetya/SortaPetya/Petya Ransomware
Wednesday, 28 June 2017 10:00

Description:
A new variant of Petya(Petwrap) ransomware is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect Windows systems and servers worldwide. This ransomware uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PsExec.

CVE Number:
CVE-2017-0143 ~ CVE-2017-0148, CVE-2017-0199

Systems Affected:
Unpatched(MS17-010) Windows XP/Vista/7/8/8.1/10(1507,1511,1607), Server 2008/2008 R2/2012/2012 R2,and Windows RT. Patch Windows systems with PsExec and WMI remote access enabled.

Prevention:
1. Don't click on links, don't open or save files and documents inside any email unless verifying the source.
2. Apply the Microsoft patch for the MS17-010 SMBv1 vulnerability.
3. Disable the unsecured SMBv1 file-sharing protocol on Windows systems and servers.
4. Disable unused WMIC (Windows Management Instrumentation Command-line)and denied WMIC and PsExec remote access connection. 
5. Keep a good back-up routine.
6. Keep your Anti-Virus up-to-date.

Remediation:
1.Petya ransomware encrypt systems after rebooting the computer.If your system is infected with Petya ransomware and it tries to restart(encryption process), just do not power it back on. Power off your system immediately to prevent your files from being encrypted.
2.Use a LiveCD or external machine to recover files.3.Petya ransomware encrypt systems after rebooting the computer.If your system is infected with Petya ransomware and it tries to restart(encryption process), just do not power it back on. Power off your system immediately to prevent your files from being encrypted.

 
[YOUR IP : 54.198.104.202: 42364] ...   [YOUR BROWSER: CCBot/2.0 (http://commoncrawl.org/faq/)] ...