ADVISORY: New Petya ransomware exploits same vulnerability as WannaCry

Wednesday, June 28, 2017

This message is primarily intended for U-M IT staff who are responsible for university machines running Microsoft Windows.

Summary: 

There are reports in the news media of a new global ransomware attack called Petya. The Petya ransomware is similar to WannaCry in that it leverages the EternalBlue exploit that was made public in April; it also uses other mechanisms to spread. Also, be aware that there are phishing attacks that reference global cyber attacks. Currently, there is no indication of any Petya infections of U-M systems. Information Assurance (IA) continues to monitor the situation.

Microsoft released patches for its supported systems in March and for unsupported systems in May. Computers with those patches installed are not vulnerable to the spread of Petya. Do not open shared documents or email attachments unless you are expecting them and trust the person who sent them; ransomware is often delivered through malicious attachments and shared documents.

Problem: 

Although patches have been available since March, and the WannaCry outbreak in May called attention to the need to update Windows, it appears many companies and organizations worldwide have been unable to apply the patches and protect their systems. The new Petya ransomware outbreak takes advantage of this. See the References below for information about organizations victimized by this new attack. The ransomware demands an average payment of $300 in bitcoins.

Affected Systems: 
  • Microsoft Windows Vista, 7, 8.1, RT 8.1, 10
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016
  • Microsoft Windows Server Core Installations 2008, 2008 R2, 2012, 2012 R2, 2016
  • Microsoft Windows; XP SP2/SP3, Embedded SP3, 8 RT
  • Microsoft Windows Server 2003 SP 2
Action Items: 

If you have not already done so, apply the patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

System administrators should, as appropriate for their IT environment, take these additional precautions:

  • Blacklist the execution of perfc.dat as well as the PSExec utility from Sysinternals Suite.
  • Block ingress and egress traffic to TCP and UDP ports 139, 445, and 3389 at your demarcation point.
  • Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
  • Remove un-patchable hosts from the network.
Technical Details: 

Petya leverages the EternalBlue exploit that was made public in April by the Shadow Brokers and used by WannaCry to spread between systems on a network. EternalBlue utilizes a known SMB 1.0 vulnerability affecting most versions of Windows. Systems that have already had Microsoft’s MS17-010 security patch applied are not vulnerable to the EternalBlue exploit used by Petya.

Information for Users: 
  • Be especially vary of emails asking you to update or confirm your account or access details because of a cyber attack. Ransomware often spreads through such malicious email, email attachments, and shared documents. You can check for recent phishing emails received at U-M on the Safe Computing Phishing Alerts page.
  • In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.