Facebook Google Plus Twitter LinkedIn YouTube RSS 菜单 搜索 资源 - 博客资源资源 - 网络研讨会资源资源 - 报告资源资源 - 活动icons_066 icons_067icons_068icons_069icons_070

Petya/NotPetya Ransomware Detection for the Modern Enterprise

A new version of the Petya malware is spreading globally, including the European Union, Ukraine and Russia. It has already impacted many organizations, both large and small, and has compromised systems at Ukraine’s central bank, its state telecommunications company, municipal metro, and Kiev’s Boryspil International Airport.

Background

Petya ransomware is powered by Shadow Brokers exploits, which were leaked earlier this year. After compromising a system, the malware encrypts the data using a private key, and prevents users from accessing the system until it is restored or decrypted. The initial infection vector for this campaign appears to be a poisoned update for the MeDoc software suite, a tax software package used by many Ukrainian organizations. The malware then infects systems that are vulnerable to MS17-010 and spreads laterally across the infrastructure.

Note: The Petya malware creates a scheduled task which reboots up to one hour after infection. If the task is removed before execution, it does not reschedule, buying you some time.

Similar to the WannaCry ransomware that infected systems globally earlier this year, Petya takes advantage of known vulnerabilities that already have patches. In a world where malware threats arise every day, chasing daily threats is not advised. Organizations everywhere and of every size need a more strategic approach to proactively manage security threats (and protect themselves and their customers) by implementing good cyber hygiene practices, including regular patching, updates, backups, and continuous monitoring.

How Tenable can help

Patch vulnerabilities

Tenable customers should immediately patch systems vulnerable to MS17-010 if you haven’t already done so. Tenable.io™ Vulnerability Management has the following four plugins, released earlier this year, to detect vulnerable systems:

Plugin ID Plugin Title/Comments Exploits

97737

MS17-010: Security Update for Microsoft Windows SMB Server (4013389)

ETERNALBLUE

ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY

WannaCry

EternalRocks

97833

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) uncredentialed check

ETERNALBLUE

ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY WannaCry

EternalRocks

Malware scan

Tenable customers can use the Malware Scan Policy in Tenable.io™ or SecurityCenter™ to detect machines infected with Petya, and the results will be reported under plugin 59275:

Plugin 59275 output

YARA detection

Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using YARA Nessus plugin.

Here’s a sample rule from Kaspersky which can be used with Nessus to detect the Petya malware :

Sample YARA rule for Nessus to detect Petya

Dashboards

The Petya dashboard uses all the available methods mentioned above to consolidate the data for easy understanding of the systems most likely affected or at risk from the malware. The components bring in netstats from Nessus and the Nessus Network Monitor, and also display the content related to missing patches associated with SMB vulnerabilities.

Wrap-up

Most ransomware exploits well-known vulnerabilities that already have patches available. Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems. Make it a regular habit to patch and protect.

For more information

  • Learn more about Tenable.io, the first vulnerability management platform for all modern assets
  • Get a free 60-day trial of Tenable.io

Many thanks to the Tenable research team for their contributions to this blog.

Updated June 28, 2017. Initial research suggested that CVE-2017-0199 was a potential infection vector; we are doing additional research into that issue.

订阅 Tenable 博客

订阅
免费试用 立即购买

选择 Tenable.io

免费试用 60 天

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即注册并在 60 秒内运行第一次扫描。

立即购买 Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65资产
免费试用 立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年许可证,为您节省更多

免费试用 立即购买

试用 Tenable.io Web Application Scanning

免费试用 60 天

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册并在 60 秒内运行第一次扫描。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 FQDN
免费试用 联系销售人员

试用 Tenable.io Container Security

免费试用 60 天

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器镜像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器镜像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

了解有关 Industrial Security 的详情