The ongoing Petrwrap ransomware attack, the second large-scale ransomware attack in just two months, has infected Windows computers around the world. Using the same vulnerabilities from the recent ransomware attack WannaCry that made headlines around the world, the primary method of infection is through email links and attachments. Once a user mistakenly clicks on the compromised link or opens the attachment, the infection begins. The malware waits between 10 and 60 minutes after initial infection to reboot the system and, once it reboots, it encrypts the hard drive of the system, rendering it useless to the user.
It then begins to spread throughout the network from the computer that was infected first via the use of common Windows File sharing ports (139 & 445). It exploits a previously discovered vulnerability found in Windows machines (MS17-010), gets into the unpatched systems from there and repeats the same steps of infection as above. It will do this to any and all systems it can find on the network until there are no more left.
On top of locking the computer, this new breed of ransomware also attempts to extract passwords of all logged on users on the system, most likely for continued persistence into the corporate network. However, there are steps you can take to protect yourself and to prevent your network from being a victim in the future.
Here is what you can do to protect your network:
- Update all software and OS security and vendor related patches on all Windows systems. More specifically, we recommend customers that have not yet installed security update MS17-010 do so now
- Ensure AV is running on all systems with the latest virus definitions in place
- Don’t open emails or attachments from anyone you do not know or do business with
- Don’t open emails or attachments that look odd and make you question its integrity (even from users you know)
As ongoing preventative maintenance, you should:
- Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
- Employ a robust backup solution of all systems so they may be recovered in the case of an ongoing ransomware attack
Since the outbreak, Dunbar Cybersecurity’s IDS solution has been monitoring for any activity related to the exploits and vulnerabilities associated with Petrwrap. We have been monitoring all port 139/445 traffic outbound and investigating all occurrences for immediate remediation to stop the spread in the network in the case of infection.
Feel free to contact Dunbar Cybersecurity experts at 844-552-7028 to further learn how our services can protect your business against the growing amount of threats to your digital assets.